Cryptographic system and computer readable medium

ABSTRACT

A cryptographic system ( 10 ) performs a cryptographic process using a basis. B and a basis B*. An encryption device ( 200 ) generates a ciphertext including a transmission-side vector being a vector in the basis B and being generated using one vector of a first vector consisting of coefficients y j  of a polynomial having x i  as roots and a second vector consisting of v 1   i  being a power of v 1 . A decryption device ( 300 ) decrypts the ciphertext generated by the encryption device ( 200 ) with a decryption key including a reception-side vector being a vector in the basis B* and being generated using the other vector of the first vector and the second vector.

TECHNICAL FIELD

The present invention relates to a functional encryption (FE) scheme.

BACKGROUND ART

Patent Literature 1 describes a functional encryption (FE) scheme.

CITATION LIST Patent Literature

-   Patent Literature 1: JP 2012-133214 A

Non-Patent Literature

-   Non-Patent Literature 1: Attrapadung, N., Libert, B., de Panafieu,     E.: Expressive key-policy attribute-based encryption with     constant-size ciphertexts. In: Catalano et al. [6], pp. 90.108 -   Non-Patent Literature 2: Okamoto, T., Takashima, K.: Achieving Short     Ciphertexts or Short Secret-Keys for Adaptively Secure General     Inner-Product Encryption. CANS 2011, LNCS, vol. 7092, pp. 138-159     Springer Heidelberg (2011). -   Non-Patent Literature 3: Okamoto, T Takashima, K.: Decentralized     Attribute-Based Signatures.ePrint http://eprint.iacr.org/2011/701

SUMMARY OF INVENTION Technical Problem

In the functional encryption scheme described in Patent Literature 1, it is necessary to generate a vector constituting a ciphertext or a vector constituting a decryption key for each attribute category t. The size of a ciphertext is large, so that decryption and so on require processing time.

It is an object of the present invention to reduce the sizes of a ciphertext, a decryption key, a signature, and so on.

Solution to Problem

A cryptographic system according to the present invention performs a cryptographic process using a basis B and a basis B*, and the cryptographic system includes:

a transmission device to generate a transmission-side vector being a vector in the basis B and being generated using one vector of a first vector consisting of coefficients y_(j) (j=1, . . . , n) of a polynomial having attribute information x_(i) (i=1, . . . , n′, n′ being an integer from 1 to n−1, n being an integer of 2 or greater) as roots and a second vector consisting of v₁′ (i=0, . . . , n−1) being a power of predicate information v₁; and

a reception device to perform a pairing operation on the transmission-side vector and a reception-side vector being a vector in the basis B* and being generated using the other vector of the first vector and the second vector.

Advantageous Effects of Invention

A cryptographic system according to the present invention can reduce the sizes of a ciphertext, a decryption key, a signature, and so on by providing special configurations of vectors used to generate a transmission-side vector and a reception-side vector.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is an explanatory drawing of a matrix M^;

FIG. 2 is an explanatory drawing of a matrix M_(δ);

FIG. 3 is an explanatory drawing of s₀;

FIG. 4 is an explanatory drawing of {right arrow over (s)}^(T);

FIG. 5 is a configuration diagram of a cryptographic system 10 that implements a KP-ABE scheme according to Embodiment 1;

FIG. 6 is a configuration diagram of a key generation device 100 according to Embodiment 1;

FIG. 7 is a configuration diagram of an encryption device 200 according to Embodiment 1;

FIG. 8 is a configuration diagram of a decryption device 300 according to Embodiment 1;

FIG. 9 is a flowchart illustrating the process of a Setup algorithm according to Embodiment 1;

FIG. 10 is a flowchart illustrating the process of a KeyGen algorithm according to Embodiment 1;

FIG. 11 is a flowchart illustrating the process of an Enc algorithm according to Embodiment 1;

FIG. 12 is a flowchart illustrating the process of a Dec algorithm according to Embodiment 1;

FIG. 13 is a configuration diagram of a cryptographic system 10 that implements a CP-ABE scheme according to Embodiment 2;

FIG. 14 is a configuration diagram of a key generation device 100 according to Embodiment 2;

FIG. 15 is a configuration diagram of an encryption device 200 according to Embodiment 2;

FIG. 16 is a flowchart illustrating the process of a KeyGen algorithm according to Embodiment 2;

FIG. 17 is a flowchart illustrating the process of an Enc algorithm according to Embodiment 2;

FIG. 18 is a configuration diagram of a cryptographic system 10 that implements an ABS scheme according to Embodiment 4;

FIG. 19 is a configuration diagram of a key generation device 100 according to Embodiment 4;

FIG. 20 is a configuration diagram of a signature device 400 according to Embodiment 4;

FIG. 21 is a configuration diagram of a verification device 500 according to Embodiment 4;

FIG. 22 is a flowchart illustrating the process of a Setup algorithm according to Embodiment 4;

FIG. 23 is a flowchart illustrating the process of a KeyGen algorithm according to Embodiment 4;

FIG. 24 is a flowchart illustrating the process of a Sig algorithm according to Embodiment 4;

FIG. 25 is a flowchart illustrating the process of a Ver algorithm according to Embodiment 4; and

FIG. 26 is a diagram illustrating an example of a hardware configuration of each device of the cryptographic system 10 presented in Embodiments 1 to 5.

DESCRIPTION OF EMBODIMENTS Embodiment 1

Notations to be used in the following description will be described.

When A is a random variable or distribution, Formula 101 denotes that y is randomly selected from A according to the distribution of A. That is, y is a random number in Formula 101.

$\begin{matrix} {y\overset{R}{\longleftarrow}A} & \left\lbrack {{Formula}\mspace{14mu} 101} \right\rbrack \end{matrix}$

When A is a set, Formula 102 denotes that y is uniformly selected from A. That is, y is a uniform random number in Formula 102.

$\begin{matrix} {y\overset{U}{\longleftarrow}A} & \left\lbrack {{Formula}\mspace{14mu} 102} \right\rbrack \end{matrix}$

Formula 103 denotes that y is set, defined, or substituted by z. y:=z  [Formula 103]

When a is a fixed value, Formula 104 denotes that a machine (algorithm) A outputs a on input x. A(x)→a  [Formula 104] For example, A(x)→1

Formula 105, namely F_(q), denotes a finite field of order q.

_(q)  [Formula 105] A vector symbol denotes a vector representation over the finite field F_(q), as indicated in Formula 106. {right arrow over (x)} denotes (x ₁ , . . . ,x _(n))ε_(q) ^(n)

_(q) ^(n).  [Formula 106]

Formula 107 denotes that the inner-product, indicated in Formula 109, of two vectors {right arrow over (x)} and {right arrow over (v)} indicated in Formula 108. {right arrow over (x)}·{right arrow over (v)}  [Formula 107] {right arrow over (x)}=(x ₁ , . . . ,x _(n)), v =(v ₁ , . . . ,v _(n))  [Formula 108] Σ_(i=1) ^(n) x _(i) v _(i)  [Formula 109]

Note that X^(T) denotes the transpose of a matrix X.

For a basis B and a basis B* indicated in Formula 110, Formula 111 is established.

:=(b ₁ , . . . ,b _(N)),

*:=(b ₁ *, . . . ,b _(N)*)  [Formula 110]

:=Σ_(i=1) ^(N) x _(i) b _(i),

:=Σ_(i−1) ^(N) y _(i) b _(i)*  [Formula 111]

Note that {right arrow over (e)}_(j) denotes a normal basis vector indicated in Formula 112.

$\begin{matrix} {{{{{\overset{->}{e}}_{j}\text{:}\mspace{14mu}\left( {\overset{\overset{j - 1}{︷}}{0\mspace{14mu}\ldots\mspace{14mu} 0},1,\overset{\overset{n - j}{︷}}{0\mspace{14mu}\ldots\mspace{14mu} 0}} \right)} \in {{??}_{q}^{n}\mspace{14mu}{for}\mspace{14mu} j}} = 1},\ldots\mspace{11mu},n,} & \left\lbrack {{Formula}\mspace{14mu} 112} \right\rbrack \end{matrix}$

In the following description, when Vt, nt, ut, wt, zt, nu, wu, and zu are each represented as a subscript or superscript, these Vt, nt, ut, wt, zt, nu, wu, and zu respectively denote V_(t), u_(t), n_(t), w_(t), z_(t), n_(u), w_(u), and z_(u). Similarly, when δi,j is represented as a superscript, this δi,j denotes δ_(i,j). Similarly, when φj is represented as a superscript, this φj denotes φ_(j). Similarly, when s0 is represented as a superscript, this s0 denotes s₀.

When → denoting a vector is attached to a subscript or superscript, it is meant that this → is attached as a superscript to the subscript or superscript.

In the following description, a cryptographic process and a cryptographic scheme include not only a narrowly-defined cryptographic process for keeping information secure from a third party, but also include a signature process, and include a key generation process, an encryption process, a decryption process, a signature process, and a verification process.

In Embodiment 1, a basic concept for implementing a cryptographic scheme will be described, and then a structure of a cryptographic scheme according to Embodiment 1 will be described.

First, a space having a rich mathematical structure called “dual pairing vector spaces (DPVS)” which is a space for implementing the cryptographic scheme will be described.

Second, a concept for implementing the cryptographic scheme will be described. Here, a span program, an access structure, and a secret distribution scheme (secret sharing scheme) will be described.

Third, a basic structure of the cryptographic scheme according to Embodiment 1 will be described. In Embodiment 1, a key-policy attribute-based encryption (KP-ABE) scheme will be described.

Fourth, a basic configuration of a cryptographic system 10 that implements the cryptographic scheme according to Embodiment 1 will be described.

Fifth, a key technique and a simplified cryptographic scheme of the cryptographic scheme according to Embodiment 1 will be described.

Sixth, the cryptographic scheme according to Embodiment 1 will be described in detail.

<1. Dual Pairing Vector Spaces>

First, symmetric bilinear pairing groups will be described.

Symmetric bilinear pairing groups (g, G, G_(T), g, e) are a tuple of a prime q, a cyclic additive group G of order q, a cyclic multiplicative group G_(T) of order q, g≠0εG, and a polynomial-time computable nondegenerate bilinear pairing e: G×G→G_(T). The nondegenerate bilinear pairing signifies e(sg, tg)=e(g, g)^(st), and e(g, g)≠1.

In the following description, let G_(bpg) be an algorithm that takes as input 1^(λ) and outputs values of a parameter param_(G):=(q, G, G_(T), g, e) of bilinear pairing groups with a security parameter λ.

Dual pairing vector spaces will now be described.

Dual pairing vector spaces (q, V, G_(T), A, e) can be constructed by a direct product of the symmetric bilinear pairing groups (param_(G):=(q, G, G_(T), g, e)). The dual pairing vector spaces (q, V, G_(T), A, e) are a tuple of a prime q, an N-dimensional vector space V over F_(q) indicated in Formula 113, a cyclic group G_(T) of order q, and a canonical basis A:=(a₁, . . . , a_(N)) of the space V, and have the following operations (1) and (2), where a_(i) is as indicated in Formula 114.

$\begin{matrix} {{??}:=\overset{\overset{N}{︷}}{{??} \times \ldots \times {??}}} & \left\lbrack {{Formula}\mspace{14mu} 113} \right\rbrack \\ {a_{i}:=\left( {\overset{\overset{i - 1}{︷}}{0,\ldots\mspace{11mu},0},g,\overset{\overset{N - i}{︷}}{0,\ldots\mspace{11mu},0}} \right)} & \left\lbrack {{Formula}\mspace{14mu} 114} \right\rbrack \end{matrix}$

Operation (1): Nondegenerate Bilinear Pairing

A pairing in the space V is defined by Formula 115. e(x,y):=Π_(i−1) ^(N) e(G _(i) ,H _(i))ε

_(T)  [Formula 115] where (G ₁ , . . . ,G _(N)):=xε

, (H ₁ , . . . ,H _(N)):=yε

This is nondegenerate bilinear, that is, e(sx, ty)=e(x, y)^(st) and if e(x, y)=1 for all yεV, then x=0. For all i and j, e(a_(i), a_(j))=e(g, g)^(δi,j), where δ_(i,j)=1 if i=j, and δ_(i,j)=0 if i≠j, and e(g, g)≠1εG_(T).

Operation (2): Distortion Maps

Linear transformations φ_(i,j) on the space V indicated in Formula 116 can achieve Formula 117. If φ_(i,j)(a _(j))=a _(i) and k≠j, then φ_(i,j)(a _(k))=0.  [Formula 116]

$\begin{matrix} {{{\phi_{i,j}(x)}:=\left( {\overset{\overset{i - 1}{︷}}{0,\ldots\mspace{11mu},0},g_{j},\overset{\overset{N - i}{︷}}{0,\ldots\mspace{11mu},0}} \right)}{{{where}\left( {g_{1},{\ldots\mspace{14mu} g_{N}}} \right)}:=x}} & \left\lbrack {{Formula}\mspace{14mu} 117} \right\rbrack \end{matrix}$

The linear transformations φ_(i,j) will be called distortion maps.

In the following description, let G_(dpvs) be an algorithm that takes as input 1^(λ) (λε natural number), Nεnatural number, and values of a parameter param_(G):=(q, G, G_(T), g, e) of bilinear pairing groups, and outputs values of a parameter param_(V):=(q, V, G_(T), A, e) of dual pairing vector spaces with a security parameter λ and an N-dimensional space V.

Description will be directed herein to a case where the dual pairing vector spaces are constructed using the above-described symmetric bilinear pairing groups. The dual pairing vector spaces can also be constructed using asymmetric bilinear pairing groups. The following description can easily be adapted to a case where the dual pairing vector spaces are constructed using asymmetric bilinear pairing groups.

<2. Concept for Implementing Cryptographic Scheme>

<2-1. Span Program>

FIG. 1 is an explanatory drawing of a matrix M^.

Let {p₁, . . . , p_(n)} be a Set of Variables. M^:=(M, ρ) is a Labeled Matrix. The matrix M is an (L rows×r columns) matrix over F_(q), and ρ is a label of columns of the matrix M and is related to one of literals {p₁, . . . , p_(n),

p₁, . . . ,

p_(n)}. A label ρ_(i) (i=1, . . . , L) of each row of M is related to one of the literals. That is, ρ: {1, . . . , L}→{p₁, . . . , p_(n),

p₁, . . . ,

P_(n)}.

For every input sequence δ ε{0, 1}^(n), a submatrix M_(δ) of the matrix M is defined. The matrix M_(δ) is a submatrix consisting of those rows of the matrix M the labels p of which are related to a value “1” by the input sequence δ. That is, the matrix M_(δ) is a submatrix consisting of the rows of the matrix M which are related to p_(i) such that δ_(i)=1 and the rows of the matrix M which are related to

p_(i) such that δ_(i)=0.

FIG. 2 is an explanatory drawing of the matrix M_(δ). In FIG. 2, note that n=7, L=6, and r=5. That is, the set of variables is {p₁, . . . , p₇}, and the matrix M is a (6 rows×5 columns) matrix. In FIG. 2, assume that the labels p are related such that ρ₁ is related to

p₂, ρ₂ to p₁, ρ₃ to p₄, ρ₄ to

p₅, ρ₅ to

p₃, and ρ₆ to p₅.

Assume that in an input sequence δ ε{0, 1}⁷, δ₁=1, δ₂=0, δ₃=, δ₄=0, δ₅=0, δ₆=1, and δ₇=1. In this case, a submatrix consisting of the rows of the matrix M which are related to literals (p₁, p₃, p₆, p₇,

p₂,

p₄,

p₅) surrounded by broken lines is the matrix M_(δ). That is, the submatrix consisting of the first row (M₁), second row (M₂), and fourth row (M₄) of the matrix M is the matrix M_(δ).

In other words, when map γ: {1, . . . , L}→{0, 1} is [ρ(j)=p_(i)]

[δ_(i)=1] or [ρ(j)=

p_(i)]

[δ_(i)=0], then γ(j)=1; otherwise γ(j)=0. In this case, M_(δ):=(M_(j)):=(M_(j))_(γ(j)=1). Note that M_(j) is the j-th row of the matrix M.

That is, in FIG. 2, map γ(j)=1 (j=1, 2, 4), and map γ(j)=0 (j=3, 5, 6). Hence, (M_(j))_(γ(j)=1) is M₁, M₂, and M₄, and is the matrix M_(δ).

More specifically, whether or not the j-th row of the matrix M is included in the matrix M_(δ) is determined by whether the value of the map γ(j) is “0” or “1”.

The span program M⨣ accepts an input sequence δ if and only if {right arrow over (1)}ε span<M_(δ)>, and rejects the input sequence δ otherwise. That is, the span program M^ accepts the input sequence δ if and only if linear combination of the rows of the matrix M_(δ) which are obtained from the matrix M^ by the input sequence δ gives {right arrow over (1)}. {right arrow over (1)} is a row vector which has a value “1” in each element.

For example, in an example of FIG. 2, the span program M^ accepts the input sequence δ if and only if linear combination of the respective rows of the matrix M_(δ) consisting of the first, second, and fourth rows of the matrix M gives {right arrow over (1)}. That is, if there exist α₁, α₂, and α₄ with which α₁(M₁)+α₂(M₂)+α₄(M₄)={right arrow over (1)}, the span program M^ accepts the input sequence δ.

The span program is called monotone if its labels p are related to only positive literals {p₁, . . . , p_(n)}. The span program is called non-monotone if its labels ρ are related to the literals {p₁, . . . , p_(n),

p₁, . . . ,

p_(n)}. It is assumed herein that the span program is non-monotone. An access structure (non-monotone access structure) is constructed using the non-monotone span program. Briefly, an access structure controls access to encryption, that is, it controls whether a ciphertext is to be decrypted or not.

The span program being non-monotone, instead of being monotone, allows for a wider range of applications of the cryptographic scheme constructed using the span program.

<2-2. Access Structure>

U (⊂{0, 1}*) is a universe and a set of attributes, and U is represented by values of attributes, that is, v εF^(X) _(q) (:=F_(q)\{0}).

It is defined such that the attributes are a variable p in M^:=(M, ρ). That is, p:=v. The access structure S is a span program M^:=(M, ρ) with variables p:=v and p′:=v′, . . . . That is, the access structure S is S:=(M, ρ) with p: {1, . . . , L}→{v, v′, . . . ,

v,

v′, . . . }.

Let Γ be a set of attributes. That is, Γ:={x_(j)|_(1≦j≦n′)}.

When Γ is given to the access structure S, map γ: {1, . . . , L}→{0, 1} for the span program M^:=(M, ρ) is defined as follows. For each integer i=1, . . . , L, set γ(j)=1 if [ρ(i)=v_(i))]

[v_(i) εΓ] or [ρ(i)=

v_(i)]

[v_(i) εΓ]. Set γ(j)=0 otherwise.

The access structure S:=(M, ρ) accepts Γ if and only if {right arrow over (1)}ε span <(M_(i))_(γ(i)=1)>.

<2-3. Secret Distribution Scheme>

A secret distribution scheme for the access structure S:=(M, ρ) will be described.

The secret distribution scheme is distributing secret information to render it nonsense distributed information. For example, secret information s is distributed into 10 pieces to generate 10 pieces of distributed information. Each of the 10 pieces of distributed information does not have information on the secret information s. Hence, even when one of the pieces of distributed information is obtained, no information can be obtained on the secret information s. On the other hand, if all of the 10 pieces of distributed information are obtained, the secret information s can be recovered.

There is another secret distribution scheme according to which the secret information s can be recovered if some (for example, 8 pieces) of distributed information can be obtained, without obtaining all of the 10 pieces of distributed information. A case like this where the secret information s can be recovered using 8 pieces out of 10 pieces of distributed information will be called 8-out-of-10. That is, a case where the secret information s can be recovered using t pieces out of n pieces of distributed information will be called t-out-of-n. This t will be called a threshold value.

There is still another secret distribution scheme according to which when 10 pieces of distributed information d₁, . . . , d₁₀ are generated, the secret information s can be recovered with 8 pieces of distributed information d₁, . . . , d₈, but the secret information s cannot be recovered with 8 pieces of distributed information d₃, . . . , d₁₀. In other words, secret distribution schemes include a scheme according to which whether or not the secret information s can be recovered is controlled not only by the number of pieces of distributed information obtained, but also the combination of distributed information obtained.

FIG. 3 is an explanatory drawing of s₀. FIG. 4 is an explanatory drawing of {right arrow over (s)}^(T).

Let a matrix M be an (L rows×r columns) matrix. Let {right arrow over (f)}^(T) be a column vector indicated in Formula 118.

$\begin{matrix} {{\overset{->}{f}}^{T}:={\left( {f_{1},{\ldots\mspace{14mu} f_{r}}} \right)^{T}\overset{U}{\longleftarrow}{??}_{q}^{r}}} & \left\lbrack {{Formula}\mspace{14mu} 118} \right\rbrack \end{matrix}$

Let s₀ indicated in Formula 119 be secret information to be shared. s ₀:={right arrow over (1)}·{right arrow over (f)} ^(T):=Σ_(k=1) ^(r) f _(k)  [Formula 119] Let {right arrow over (s)}^(T) indicated in Formula 120 be a vector of L pieces of distributed information of s₀. {right arrow over (s)} ^(T):=(s ₁ , . . . s _(L))^(T) :=M·{right arrow over (f)} ^(T)  [Formula 120]

Let the distributed information s_(i) belong to ρ(i).

If the access structure S:=(M, ρ) accepts Γ, that is, if {right arrow over (1)}ε span<(M_(i))_(γ(i)=1)> for γ:{1, . . . , L}→{0, 1}, then there exist constants {α_(i) εF_(q)|i εI} such that I⊂{i ε{1, . . . , L}|γ(i)−=1}.

This is obvious from the explanation about the example of FIG. 2 that if there exist α₁, α₂, and α₄ with which α₁(M₁)+α₂(M₂)+α₄(M₄)={right arrow over (1)}, the span program M{right arrow over ( )} accepts the input sequence δ. That is, if the span program M^ accepts the input sequence δ when there exist α₁, α₂, and α₄ with which α₁(M₁)+α₂(M₂)+α₄(M₄)={right arrow over (1)}, then there exist α₁, α₂, and α₄ with which α₁(M₁)+α₂(M₂)+α₄(M₄)={right arrow over (1)}.

Note Formula 121. Σ_(iεI)α_(i) s _(i) :=s ₀  [Formula 121]

Note that constants {α_(i)} are computable in time polynomial in the size of the matrix M.

<3. Basic Structure of Cryptographic Scheme (KP-ABE Scheme)>

The structure of the KP-ABE scheme will be briefly described. Note that KP (key policy) means that a policy, namely an access structure, is embedded in a key.

The KP-ABE scheme includes four algorithms: Setup, KeyGen, Enc, and Dec.

(Setup)

A Setup algorithm is a probabilistic algorithm that takes as input a security parameter λ and an upper limit n for the number of attributes for a ciphertext, and outputs a public parameter pk and a master key sk.

(KeyGen)

A KeyGen algorithm is a probabilistic algorithm that takes as input the public parameter pk, the master key sk, and an access structure S:=(M, ρ), and outputs a decryption key sk_(S).

(Enc)

An Enc algorithm is a probabilistic algorithm that takes as input the public parameter pk, a message m, and an attribute set Γ:={x_(j)}_(1≦j≦n′), and outputs a ciphertext ct_(Γ).

(Dec)

A Dec algorithm is an algorithm that takes as input the public parameter pk, the decryption key sk_(S), and the ciphertext ct_(Γ), and outputs the message m or a distinguished symbol ⊥.

<4. Basic Configuration of Cryptographic System 10>

The cryptographic system 10 that implements the algorithms of the KP-ABE scheme will be described.

FIG. 5 is a configuration diagram of the cryptographic system 10 that implements the KP-ABE scheme according to Embodiment 1.

The cryptographic system 10 includes a key generation device 100, an encryption device 200 (an example of a transmission device), and a decryption device 300 (an example of a reception device).

The key generation device 100 executes the Setup algorithm taking as input a security parameter λ and an upper limit n for the number of attributes for a ciphertext, and thereby generates a public parameter pk and a master key sk.

Then, the key generation device 100 publishes the public parameter pk. The key generation device 100 also executes the KG algorithm taking as input an access structure S, and thereby generates a decryption key sk_(S), and transmits the decryption key sk_(S) to the decryption device 300 in secrecy.

The encryption device 200 executes the Enc algorithm taking as input the public parameter pk, a message m, and an attribute set Γ, and thereby generates a ciphertext ct_(Γ). The encryption device 200 transmits the ciphertext ct_(Γ) to the decryption device 300.

The decryption device 300 executes the Dec algorithm taking as input the public parameter pk, the decryption key sk_(S), and the ciphertext ct_(Γ), and outputs the message m or a distinguished symbol ⊥.

<5. Key Technique and Simplified Cryptographic Scheme>

<5-1. Encoding>

In the functional encryption scheme described in Patent Literature 1, an identifier t is assigned to each attribute category, and a vector which is an element of a ciphertext (or a decryption key) is generated for each identifier t.

In Embodiment 1, a method for encoding attribute information is specially devised such that the identifier t for an attribute category is eliminated and one vector is used as an element of a ciphertext.

In Embodiment 1, a vector (one vector) which is an element of a ciphertext is generated such that each element of a vector {right arrow over (y)}:=(y₁, . . . , y_(n)) (first vector) consisting of coefficients y_(j) of a polynomial having attribute information x_(i) as roots is set as the coefficient of each basis vector of a basis B. That is, a vector which is an element of a ciphertext is generated such that the vector {right arrow over (y)}:=(y₁, . . . , y_(n)) being f(z)=(z-x₁)(z-x₂) . . . (z-x_(n))=y₁z^(n)+ . . . +y_(n-1)z+y_(n) is set as the coefficient of each basis vector of the basis B.

A vector (one or more vectors) which is an element of a decryption key is generated such that a vector {right arrow over (v)}_(i):=(v_(i) ^(n-1), . . . , v_(i), 1) (second vector) consisting of v_(i) ^(j) being a power of v_(i) is set as the coefficient of each basis vector of a basis B*, for each integer i=1, . . . , L.

With this arrangement, it is possible to control such that when a pairing operation is performed on the vector which is the element of the ciphertext and the vector which is the element of the decryption key, v_(i) is assigned to f(z), and if v_(i) is equal to any of x₁, . . . , x_(n), then f(v_(i))=0, and if v_(i) is not equal to any of x₁, . . . , x_(n), then f(v_(i))≠0.

<5-2. Sparse Matrix>

In the functional encryption scheme described in Patent Literature 1, a basis B and a basis B* being a pair of dual bases are generated. The basis B and the basis B* are generated using a fully random linear transformation X (change-of-basis matrix) uniformly selected from GL(N, F_(q)). In particular, the basis B and the basis B* are generated by transforming a canonical basis A by linear transformations X and (X⁻¹)^(T), respectively. Note that N denotes the number of dimensions of span<B> and span<B>.

In a typical application in which dual pairing vector spaces are applied to a cryptographic process, a part of the basis B (to be referred to as B^) is used as a public parameter, and the corresponding part of the basis B* (to be referred to as B^*) is used as a trapdoor.

In Embodiment 1, a special form of the random linear transformation X being XεGL(N, F_(q)) (a sparse matrix) is employed, in place of the fully random linear transformation X described above.

<5-3. Simplified Cryptographic Scheme>

A simplified KP-ABE scheme will be described.

A ciphertext in the simplified KP-ABE scheme consists of two vector elements (c₀, c₁)εG⁵×G^(n) as well as c₃≢G_(T). A secret key consists of the L+1 number of vector elements (k*₀, k*₁, . . . , k*_(L)εG⁵×(G^(n))^(L)) for an access structure S:=(M, ρ), where L denotes the number of rows in a matrix M and each vector element k*_(i) corresponds to each row of the matrix M. Note that (c₀, c₁)εG⁵×G^(n) signifies that c₀ is five elements of G, and c₁ is the n number of elements of G. Similarly, (k*₀, k*₁, . . . , k*_(L)εG⁵×(G^(n))^(L)) signifies that k*₀ is five elements of G, and k*₁, . . . , k*_(L) are the n number of elements of G.

Therefore, to achieve constant-size ciphertexts, it is necessary to compress c₁εG^(n) to a constant size in n.

In Embodiment 1, a special linear transformation X indicated in Formula 122 is employed.

$\begin{matrix} {X:={\begin{pmatrix} \mu & \; & \; & \mu_{1}^{\prime} \\ \; & \ddots & \; & \vdots \\ \; & \; & \mu & \mu_{n - 1}^{\prime} \\ \; & \; & \; & \mu_{n}^{\prime} \end{pmatrix} \in {\mathcal{H}\left( {n,{??}_{q}} \right)}}} & \left\lbrack {{Formula}\mspace{14mu} 122} \right\rbrack \end{matrix}$

Note that μ, μ′₁, . . . , μ′_(n) are values uniformly selected from a finite field F_(q), and a blank in the linear transformation X denotes 0εF_(q). Note also that H(n, F_(q)) signifies a set of n-dimensional matrices having the finite field F_(q) as elements.

A public key (basis in DPVS) is a basis B indicated in Formula 123-1.

$\begin{matrix} {{??}:={\begin{pmatrix} b_{1} \\ \vdots \\ \; \\ b_{n} \end{pmatrix}:=\begin{pmatrix} {\mu\; g} & \; & \; & {\mu_{1}^{\prime}g} \\ \; & \ddots & \; & \vdots \\ \; & \; & {\mu\; g} & {\mu_{n - 1}^{\prime}g} \\ \; & \; & \; & {\mu_{n}^{\prime}g} \end{pmatrix}}} & \left\lbrack {{{Formula}\mspace{14mu} 123} - 1} \right\rbrack \end{matrix}$

Let a ciphertext associated with an attribute set Γ:=(x₁, . . . , x_(n′)) be a ciphertext c₁ indicated in Formula 123-2. c ₁:=(ω{right arrow over (y)}

=ω(y ₁ b ₁ + . . . +y _(n) b _(n))=(y ₁ ωμg, . . . ,y _(n-1) ωμg,ω(Σ_(i=1) ^(n) y _(i)μ_(i)′)g)  [Formula 123]

Note that ω is a value uniformly selected from the finite field F_(q), and {right arrow over (y)}:=(y₁, y_(n)) is a vector indicated in Formula 124. Σ_(j=0) ^(n-1) y _(n-j) z ^(j) =z ^(n-1-n′)·Π_(j=1) ^(n′)(z−x _(j))  [Formula 124]

Then, the ciphertext c₁ can be compressed to two group elements C₁ and C₂ indicated in Formula 125 and the vector {right arrow over (y)}. C ₁ :=ωμg, C ₂:=ω(Σ_(i=1) ^(n) y _(i)μ_(i)′)g[Formula 103]

This is because the ciphertext c₁ is obtained by (y₁C₁, . . . , y_(n-1)C₁, C₂). Note that y_(i)C₁=y_(i)ωμg for each i=1, . . . , n−1.

Therefore, the ciphertext (excluding the vector {right arrow over (y)}) can be two group elements, and the size is constant in n.

Let B*:=(b*_(i)) be the dual orthonormal basis of B:=(b_(i)), and let the basis B* be a master secret key in the simplified KP-ABE scheme.

(c₀, k*₀, c₃) is specified such that e(c₀, k*₀)=g_(T) ^(ζ-ωs0) and c₃:=g_(T) ^(ζ)mεG_(T). Note that s0(s₀) is a center secret of shared information {s_(i)}_(i=1, . . . , L) associated with the access structure S.

Using the shared information {s_(i)}_(i=1, . . . , L), a set of secret keys for the access structure S is set as indicated in Formula 126.

$\begin{matrix} {{{k_{i}^{*}:={{\left( {{s_{i}{\overset{\rightarrow}{e}}_{1}} + {\theta_{i}{\overset{\rightarrow}{v}}_{i}}} \right)_{{??}^{*}}\mspace{14mu}{if}\mspace{14mu}{\rho(i)}} = \left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},{k_{i}^{*}:={{\left( {s_{i}{\overset{\rightarrow}{v}}_{i}} \right)_{{??}^{*}}\mspace{14mu}{if}\mspace{14mu}{\rho(i)}} = {⫬ \left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}}}}{where}{{{\overset{\rightarrow}{v}}_{i}:=\left( {v_{i}^{n - 1},\ldots\mspace{14mu},v_{i},1} \right)},{\theta_{i}\overset{U}{\leftarrow}{??}_{q}}}} & \left\lbrack {{Formula}\mspace{14mu} 126} \right\rbrack \end{matrix}$

From the dual orthonormality of the basis B and the basis B*, if the access structure S accepts the attribute set Γ, there exists a complementary coefficients {α_(i)}_(iεI) such that Formula 127 is satisfied.

$\begin{matrix} {{{e\left( {c_{1},{\overset{\sim}{k}}^{*}} \right)} = g_{T}^{\omega\; s_{0}}}{where}{{\overset{\sim}{k}}^{*}:={{\sum\limits_{{i \in {I\bigwedge{\rho{(i)}}}} = v_{i}}\;{\alpha_{i}k_{i}^{*}}} + {\sum\limits_{{i \in {I\bigwedge{\rho{(i)}}}} = {⫬ v_{i}}}{{\alpha_{i}\left( {\overset{\rightarrow}{y} \cdot {\overset{\rightarrow}{v}}_{i}} \right)}^{- 1}k_{i}^{*}}}}}} & \left\lbrack {{Formula}\mspace{14mu} 127} \right\rbrack \end{matrix}$

Hence, a decryptor can compute g_(T) ^(ωs0) and obtain a message m if and only if the access structure S accepts the attribute set Γ.

The ciphertext c₁ is represented as (y₁C₁, . . . , y_(n-1)C₁, C₂)εG^(n), and a secret key k^(˜)* is parsed as n-tuple (D*₁, . . . , D*_(n)). Thus, the value of e(c₁, k^(˜)*) is as indicated in Formula 128.

$\begin{matrix} {{\prod_{i = 1}^{n - 1}{{{e\left( {{y_{i}C_{1}},D_{i}^{*}} \right)} \cdot e}\left( {C_{2},D_{n}^{*}} \right)}} = {{\prod_{i = 1}^{n - 1}{{e\left( {C_{1},{y_{i}D_{i}^{*}}} \right)} \cdot {e\left( {C_{2},D_{n}^{*}} \right)}}} = {{e\left( {C_{1},{\sum_{i = 1}^{n - 1}{y_{i}D_{i}^{*}}}} \right)} \cdot {e\left( {C_{2},D_{n}^{*}} \right)}}}} & \left\lbrack {{Formula}\mspace{14mu} 128} \right\rbrack \end{matrix}$

That is, the n−1 number of scalar multiplications in G and two pairing operations are enough for computing e(c₁, k^(˜)*). This means that only a small (constant) number of pairing operations are required for decryption. Generally, a pairing operation is an operation which requires processing time. Therefore, by reducing the number of pairing operations, the processing time for the entirety of processing can be shortened.

In the simplified KP-ABE scheme, the ciphertext c₁ has only the basis vector in which the vector {right arrow over (y)} is set (real encoding part), and the secret key k*₁ has only the basis vector in which the vector {right arrow over (v)} is set (real encoding part).

In the KP-ABE scheme to be described below, in order to enhance security, a hidden part, a secret key randomness part, and a ciphertext randomness part are added to the ciphertext c₁ and the secret key k*₁ in addition to the real encoding part.

Therefore, the linear transformation X is expanded six-fold, as indicated in Formula 129. Then, the real encoding part, the hidden part, the secret key randomness part, and the ciphertext randomness part are assigned n, 2n, 2, and n dimensions, respectively.

$\begin{matrix} {X:=\begin{pmatrix} X_{1,1} & \ldots & X_{1,6} \\ \vdots & \; & \vdots \\ X_{6,1} & \ldots & X_{6,6} \end{pmatrix}} & \left\lbrack {{Formula}\mspace{14mu} 129} \right\rbrack \end{matrix}$

Note that each X_(i,j) is XεH(n, F_(q)) indicated in Formula 122. The vector space consists of four orthogonal subspaces. That is, the vector space consists of four orthogonal subspaces for the encoding part, the hidden part, the secret key randomness part, and the ciphertext randomness part.

<6. Cryptographic Scheme>

FIG. 6 is a configuration diagram of the key generation device 100 according to Embodiment 1. FIG. 7 is a configuration diagram of the encryption device 200 according to Embodiment 1. FIG. 8 is a configuration diagram of the decryption device 300 according to Embodiment 1.

FIG. 9 and FIG. 10 are flowcharts illustrating the operation of the key generation device 100 according to Embodiment 1. FIG. 9 is a flowchart illustrating the process of the Setup algorithm according to Embodiment 1, and FIG. 10 is a flowchart illustrating the process of the KeyGen algorithm according to Embodiment 1. FIG. 11 is a flowchart illustrating the operation of the encryption device 200 according to Embodiment 1 and illustrating the process of the Enc algorithm according to Embodiment 1. FIG. 12 is a flowchart illustrating the operation of the decryption device 300 according to Embodiment 1 and illustrating the process of the Dec algorithm according to Embodiment 1.

The function and operation of the key generation device 100 will be described.

As illustrated in FIG. 6, the key generation device 100 includes a master key generation part 110, a master key storage part 120, an information input part 130, a decryption key generation part 140, and a key transmission part 150. The master key generation part 110 includes a space generation part 111, a matrix generation part 112, a basis generation part 113, and a key generation part 114. The decryption key generation part 140 includes an f vector generation part 141, an s vector generation part 142, a random number generation part 143, and a key element generation part 144.

With reference to FIG. 9, the process of the Setup algorithm will be described.

(S101: Space Generation Step)

With a processing device, the space generation part 111 executes G_(bpg) taking as input a security parameter 1^(λ), and thereby generates a parameter param_(G):=(q, G, G_(T), g, e) of symmetric bilinear pairing groups.

Further, the space generation part 111 sets N₀:=5 and N₁:=6n. Then, with the processing device and for each integer t=0, 1, the space generation part 111 executes G_(dpvs) taking as input the security parameter 1^(λ), N_(t), and the parameter param_(G) of the symmetric bilinear pairing groups, and thereby generates a parameter param_(Vt):=(q, V_(t), G_(T), A, e) of dual pairing vector spaces.

(S102: Linear Transformation Generation Step)

With the processing device, the matrix generation part 112 generates a linear transformation X₀, as indicated in Formula 130.

$\begin{matrix} {X_{0}:={\left( \chi_{0,i,j} \right)_{i,{j = 1},\ldots\mspace{14mu},5}\overset{U}{\leftarrow}{{GL}\left( {N_{0},{??}_{q}} \right)}}} & \left\lbrack {{Formula}\mspace{14mu} 130} \right\rbrack \end{matrix}$

Note that (χ_(0,i,j))_(i,j=1, . . . , 5) in Formula 130 signifies a matrix concerning the suffixes i and j of the matrix χ_(0,i,j).

With the processing device, the matrix generation part 112 also generates a linear transformation X₁, as indicated in Formula 131.

$\begin{matrix} {X_{1}\overset{U}{\leftarrow}{\mathcal{L}\left( {6,n,{??}_{q}} \right)}} & \left\lbrack {{Formula}\mspace{14mu} 131} \right\rbrack \end{matrix}$

Note that L(6, n, F_(q)) in Formula 131 is as indicated in Formula 132.

$\begin{matrix} {{\mathcal{L}\left( {w,n,{??}_{q}} \right)}:=\left\{ {{X:={{\begin{pmatrix} X_{1,1} & \ldots & X_{1,w} \\ \vdots & \; & \vdots \\ X_{w,1} & \ldots & X_{w,w} \end{pmatrix}❘X_{i,j}}:={\left. \quad{\begin{pmatrix} \mu_{i,j} & \; & \; & \mu_{i,j,1}^{\prime} \\ \; & \ddots & \; & \vdots \\ \; & \; & \mu_{i,j} & \mu_{i,j,{n - 1}}^{\prime} \\ \; & \; & \; & \mu_{i,j,n}^{\prime} \end{pmatrix}\begin{matrix} {\in {\mathcal{H}\left( {,{??}_{q}} \right)}} \\ {{{for}\mspace{14mu} i},{j =}} \\ {1,\ldots\mspace{14mu},w} \end{matrix}} \right\}\bigcap{{GL}\left( {{wn},{??}_{q}} \right)}}}},{{\mathcal{H}\left( {n,{??}_{q}} \right)}:=\left\{ {\begin{pmatrix} u & \; & \; & u_{1}^{\prime} \\ \; & \ddots & \; & \vdots \\ \; & \; & u & {\; u_{n - 1}^{\prime}} \\ \; & \; & \; & u_{n}^{\prime} \end{pmatrix}❘\begin{matrix} {u,{u_{L}^{\prime} \in {??}_{q}},{{{for}\mspace{14mu} L} = 1},\ldots\mspace{14mu},n,} \\ {a\mspace{14mu}{blank}\mspace{14mu}{element}\mspace{14mu}{in}\mspace{14mu}{the}\mspace{20mu}{matrix}} \\ {{{denotes}\mspace{14mu} 0} \in {??}_{q}} \end{matrix}} \right\}}} \right.} & \left\lbrack {{Formula}\mspace{14mu} 132} \right\rbrack \end{matrix}$

In the following, {μ_(i,j), μ_(i,j,L)}_(i,j=1, . . . , 6; L=1, . . . , n) denotes non-zero elements in the linear transformation X₁.

(S103: Basis B Generation Step)

With the processing device, the basis generation part 113 generates a basis B₀, a variable B_(i,j), and a variable B′_(i,j,L), as indicated in Formula 133. b _(0,i):=(χ_(0,i,1), . . . ,χ_(0,i,5)

=Σ_(j=1) ⁵χ_(0,i,j) a _(j) for i=1, . . . ,5,

₀:=(b _(0,1) , . . . ,b _(0,5)), B _(i,j):=μ_(i,j) g,B _(i,j,L)′:=μ_(i,j,L) ′g for i,j=1, . . . ,6; L=1, . . . ,n  [Formula 133]

With the processing device, the basis generation part 113 also generates a basis B*₀ and a basis B*₁, as indicated in Formula 134.

for t=0, 1, (θ_(t,i,j))_(i,j=1, . . . ,N) _(t) :=ψ·(X _(t) ^(T))⁻¹, b* _(t,i):=(θ_(t,i,1), . . . ,θ_(t,i,N) _(t)

=Σ_(j=1) ^(N) ^(t) θ_(t,i,j) a _(j) for i=1, . . . ,N _(t),

*_(t):=(b* _(t,1) , . . . ,b _(t,N) _(t) *)  [Formula 134]

(S104: Basis B^ Generation Step)

With the processing device, the key generation part 114 generates a basis B{right arrow over ( )}₀, a basis B^₁, a basis B^*₀, and a basis B^*₁, as indicated in Formula 135.

B ₀:=(b _(0,1) ,b _(0,3) ,b _(0,5)),

:=(b _(1,1) , . . . ,b _(1,n) ,b _(1,5n+1) , . . . ,b _(1,6n))={B _(i,j) ,B _(i,j,L)′}_(i=1,6;j=1, . . . ,6;L=1, . . . ,n),

₀*:=(b _(0,1) *,b _(0,3) *b _(0,4)),

₁*:=(b _(1,1) * . . . ,b _(1,n) *,b _(1,3n+1) *, . . . ,b _(1,5n)*)  [Formula 135]

(S105: Master Key Generation Step)

With the processing device, the key generation part 114 generates a public parameter pk:=(1^(λ), param_(n), {B^_(t)}_(t=0, 1)) and a master secret key sk:={B^*_(t)}_(t=0, 1). Then, the key generation part 114 stores the public parameter pk and the master secret key sk in the master key storage part 120.

Note that param_(n):=({param_(Vt)}_(t=0, 1), g_(T):=e(g, g)^(φ)).

In brief, in (S101) through (S105), the key generation device 100 generates the public parameter pk and the master secret key sk by executing the Setup algorithm indicated in Formula 137, the Setup algorithm using an algorithm G^(ABE(1)) _(ob) indicated in Formula 136.

$\begin{matrix} {\mspace{79mu}{{{{{{??}_{ob}^{{ABE}{(1)}}\left( {1^{\lambda},6,n} \right)}\text{:}}\mspace{20mu}{{{param}_{??}:={\left( {q,{??},{??}_{T},g,e} \right)\overset{R}{\leftarrow}{{??}_{bpg}\left( 1^{\lambda} \right)}}},\mspace{20mu}{N_{0}:=5},{N_{1}:={6n}},{{param}_{{??}_{t}}:={\left( {q,{??}_{t},{??}_{T},{??},e} \right):={{{{??}_{dpvs}\left( {1^{\lambda},N_{t},{param}_{??}} \right)}\mspace{14mu}{for}\mspace{14mu} t} = 0}}},1,{\psi\overset{U}{\leftarrow}{??}_{q}^{\times}},{g_{T}:={e\left( {g,g} \right)}^{\psi}},{{param}_{n}:=\left( {\left\{ {param}_{{??}_{T}} \right\}_{{t = 0},1},g_{T}} \right)},{X_{0}:={\left( \chi_{0,i,j} \right)_{i,{j = 1},\ldots\mspace{14mu},5}\overset{U}{\leftarrow}{{GL}\left( {N_{0},{??}_{q}} \right)}}},{X_{1}\overset{U}{\leftarrow}{\mathcal{L}\left( {6,n,{??}_{q}} \right)}},\mspace{20mu}{hereafter}}{{\left\{ {\mu_{i,j},\mu_{i,j,L}^{\prime}} \right\}_{i,{j = 1},\ldots\mspace{14mu},{6;{L = 1}},\ldots\mspace{14mu},n}\mspace{14mu}{denotes}\mspace{14mu}{non}\text{-}{zero}\mspace{14mu}{entries}\mspace{14mu}{of}\mspace{14mu} X_{1}},\mspace{20mu}{b_{0,i}:={\left( {\chi_{0,i,1,\ldots\mspace{14mu},}\chi_{0,i,5}} \right)_{??} = {\sum_{j = 1}^{5}{\chi_{0,i,j}a_{j}}}}}}\mspace{20mu}{{{for}\mspace{14mu} i} = 1}},\ldots\;,5,{{??}_{0}:=\left( {b_{0,1},\ldots\mspace{14mu},b_{0,5}} \right)},\mspace{20mu}{B_{i.j}:={\mu_{i,j}g}},{B_{i,j,L}^{\prime}:={\mu_{i,j,L}^{\prime}g}}}\mspace{14mu}\mspace{20mu}{{{for}\mspace{14mu} i},{j = 1},\ldots\mspace{14mu},{6;{L = 1}},\ldots\mspace{14mu},n,\mspace{20mu}{{{for}\mspace{14mu} t} = 0},{{1\mspace{14mu}\left( \vartheta_{t,i,j} \right)_{i,{j = 1},\ldots\mspace{14mu},N_{t}}}:={\psi \cdot \left( X_{t}^{T} \right)^{- 1}}},\mspace{20mu}{b_{t,i}^{*}:={\left( {\vartheta_{t,i,1,\ldots\mspace{14mu},}\vartheta_{t,i,N_{t}}} \right)_{??} = {\sum_{j = 1}^{N_{t}}{\vartheta_{t,i,j}a_{j}}}}}}\mspace{20mu}{{{{for}\mspace{14mu} i} = 1},\ldots\mspace{14mu},N_{t},{{??}_{t}^{*}:=\left( {b_{t,1}^{*},\ldots\mspace{14mu},b_{t,N_{t}}^{*}} \right)},{{return}\mspace{14mu}{\left( {{param}_{n},{??}_{0},{??}_{0}^{*},\left\{ {B_{i,j},B_{i,j,L}^{\prime}} \right\}_{i,{j = 1},\ldots\mspace{14mu},{6;{L = 1}},\ldots\mspace{14mu},n},{??}_{1}^{*}} \right).}}}}} & \left\lbrack {{Formula}\mspace{14mu} 136} \right\rbrack \\ {\mspace{40mu}{{{Setup}\left( {1^{\lambda},n} \right)\text{:}}{{\left( {{param}_{n},{??}_{0},{??}_{0}^{*},\left\{ {B_{i,j},B_{i,j,L}^{\prime}} \right\}_{i,{j = 1},\ldots\mspace{14mu},{6;{L = 1}},{\ldots\mspace{14mu} n}},{??}_{1}^{*}} \right)\overset{R}{\leftarrow}{{??}_{ob}^{{ABE}{(1)}}\left( {1^{\lambda},6,n} \right)}},\mspace{20mu}{{\hat{??}}_{0}:=\left( {b_{0,1},b_{0,3},b_{0,5}} \right)},{{\hat{??}}_{1}:={\left( {b_{1,1},\ldots\mspace{14mu},b_{1,n},b_{1,{{5n} + 1}},\ldots\mspace{14mu},b_{1,{6n}}} \right) = \left\{ {B_{i,j},B_{i,j,L}^{\prime}} \right\}_{{i = 1},{6;{j = 1}},\ldots\mspace{14mu},{6;{L = 1}},\ldots\mspace{14mu},n}}},\mspace{20mu}{{\hat{??}}_{0}^{*}:=\left( {b_{0,1}^{*},b_{0,3}^{*},b_{0,4}^{*}} \right)},\mspace{20mu}{{\hat{??}}_{1}^{*}:=\left( {{b_{1,1,\ldots\mspace{14mu},}^{*}b_{1,n}^{*}},{b_{1,{{3n} + 1},\ldots\mspace{14mu},}^{*}b_{1,{5n}}^{*}}} \right)},\mspace{20mu}{{pk}:=\left( {1^{\lambda},{param}_{n},\left\{ {\hat{??}}_{t} \right\}_{{t = 0},1}} \right)},{{sk}:=\left\{ {\hat{??}}_{t}^{*} \right\}_{{t = 0},1}},\mspace{20mu}{{return}\mspace{14mu}{pk}},{{sk}.}}}} & \left\lbrack {{Formula}\mspace{14mu} 137} \right\rbrack \end{matrix}$

The public parameter is published, for example, via a network, and is made available for the encryption device 200 and the decryption device 300.

In S103, instead of generating a basis B₁, the variable B_(i,j) is generated. If the basis B₁ is to be generated, it is as indicated in Formula 138.

$\begin{matrix} {{\begin{pmatrix} b_{1,{{{({i - 1})}n} + 1}} \\ \vdots \\ b_{1,{in}} \end{pmatrix}:=\begin{pmatrix} B_{i,1} & \; & \; & B_{i,1,1}^{\prime} & \; & B_{i,6} & \; & \; & B_{i,6,1}^{\prime} \\ \; & \ddots & \; & \vdots & \ldots & \; & \ddots & \; & \vdots \\ \; & \; & B_{i,1} & B_{i,1,{n - 1}}^{\prime} & \; & \; & \; & B_{i,6} & B_{i,6,{n - 1}}^{\prime} \\ \; & \; & \; & {B_{i,1,n}^{\prime}\;} & \; & \; & \; & \; & B_{i,6,n}^{\prime} \end{pmatrix}}\mspace{20mu}{{{{for}\mspace{14mu} i} = 1},\ldots\mspace{14mu},6,\mspace{20mu}{{??}_{1}:=\left( {b_{1,1,},\ldots\mspace{14mu},b_{1,{6n}}} \right)}}} & \left\lbrack {{Formula}\mspace{14mu} 138} \right\rbrack \end{matrix}$

A blank portion in the matrix of Formula 138 denotes that the value of the element is 0εG. The basis B₁ is the orthonormal basis of the basis B*₁. That is, e(b_(1,i), b*_(1,i))=g_(T), and e(b_(1,i),b*_(1,j))=1 for integers i and j of 1≦i≠j≦6n.

With reference to FIG. 10, the process of the KeyGen algorithm will be described.

(S201: Information Input Step)

With an input device, the information input part 130 takes as input an access structure S:=(M, ρ). Note that the matrix M of the access structure S is to be set according to the conditions of a system to be implemented. Note also that attribute information of a user of a decryption key sk_(S) is set in ρ of the access structure S, for example.

(S202: f Vector Generation Step)

With the processing device, the f vector generation part 141 randomly generates a vector {right arrow over (f)}, as indicated in Formula 139.

$\begin{matrix} {\overset{\rightarrow}{f}\overset{U}{\leftarrow}{??}_{q}^{r}} & \left\lbrack {{Formula}\mspace{14mu} 139} \right\rbrack \end{matrix}$

(S203: s Vector Generation Step)

With the processing device, the s vector generation part 142 generates a vector {right arrow over (s)}^(T):=(s₁, . . . , s_(L))^(T), as indicated in Formula 140. {right arrow over (s)} ^(T):=(s ₁ , . . . ,s _(L))^(T) :=M·{right arrow over (f)} ^(T)  [Formula 140]

With the processing device, the s vector generation part 142 also generates a value so, as indicated in Formula 141. s ₀:={right arrow over (1)}·{right arrow over (f)} ^(T)  [Formula 141]

(S204: Random Number Generation Step)

With the processing device, the random number generation part 143 generates random numbers, as indicated in Formula 142.

$\begin{matrix} {{\eta_{0}\overset{U}{\leftarrow}{??}_{q}},{{{\overset{\rightarrow}{\eta}}_{i}\overset{U}{\leftarrow}{{??}_{q}^{2n}\mspace{14mu}{for}\mspace{14mu} i}} = 1},\ldots\mspace{14mu},L,{{\theta_{i}\overset{U}{\leftarrow}{{??}_{q}\mspace{14mu}{for}\mspace{14mu} i}} = 1},\ldots\mspace{14mu},L} & \left\lbrack {{Formula}\mspace{14mu} 142} \right\rbrack \end{matrix}$

(S205: Key Element Generation Step)

With the processing device, the key element generation part 144 generates an element k*₀ of the decryption key sk_(S), as indicated in Formula 143. k ₀*:=(−s ₀,0,1,η₀,0

  [Formula 143]

With the processing device, the key element generation part 144 also generates an element k*_(i) of the decryption key sk_(S) for each integer i=1, . . . , L, as indicated in Formula 144.

$\begin{matrix} {{{{for}\mspace{14mu} i} = 1},\ldots\mspace{14mu},L,{{\overset{\rightarrow}{v}}_{i}:=\left( {v_{i}^{n - 1},\ldots\mspace{14mu},v_{i},1} \right)},{{{if}\mspace{14mu}{\rho(i)}} = v_{i}},{k_{i}^{*}:=\left( {\overset{\overset{n}{︷}}{{{s_{i}{\overset{\rightarrow}{e}}_{1}} + {\theta_{i}{\overset{\rightarrow}{v}}_{i}}},}\mspace{11mu}\overset{\overset{2n}{︷}}{0^{2n},}\mspace{11mu}\overset{\overset{2n}{︷}}{{\overset{\rightarrow}{\eta}}_{i},}\mspace{11mu}\overset{\overset{n}{︷}}{0^{n}}} \right)_{{??}_{1}^{*}}},{{{if}\mspace{14mu}{\rho(i)}} = {⫬ v_{i}}},{k_{i}^{*}:=\left( {\overset{\overset{n_{t}}{︷}}{{s_{i}{\overset{\rightarrow}{v}}_{i}},}\mspace{11mu}\overset{\overset{2n}{︷}}{0^{2n},}\mspace{11mu}\overset{\overset{2n}{︷}}{{\overset{\rightarrow}{\eta}}_{i},}\mspace{14mu}\overset{\overset{n}{︷}}{0^{n}}} \right)_{{??}_{1}^{*}}}} & \left\lbrack {{Formula}\mspace{14mu} 144} \right\rbrack \end{matrix}$

(S206: Key Transmission Step)

With a communication device and via the network, for example, the key transmission part 150 transmits the decryption key sk_(S) having, as elements, the access structure S inputted in (S201) and k*₀, k*₁, . . . , and k*_(L) generated in (S205) to the decryption device 300 in secrecy. As a matter of course, the decryption key sk_(S) may be transmitted to the decryption device 300 by another method.

In brief, in (S201) through (S205), the key generation device 100 generates the decryption key sk_(S) by executing the KeyGen algorithm indicated in Formula 145. In (S206), the key generation device 100 transmits the generated decryption key sk_(S) to the decryption device 300.

$\begin{matrix} {{{{KeyGen}\left( {{pk},{sk},{{??} = \left( {M,\rho} \right)}} \right)}\text{:}}{{\overset{\rightarrow}{f}\overset{U}{\leftarrow}{??}_{q}^{r}},{{\overset{\rightarrow}{s}}^{T}:={\left( {s_{1},\ldots\mspace{14mu},s_{L}} \right)^{T}:={M \cdot {\overset{\rightarrow}{f}}^{T}}}},{s_{0}:={\overset{\rightarrow}{1} \cdot {\overset{\rightarrow}{f}}^{T}}},{\eta_{0}\overset{U}{\leftarrow}{??}_{q}},{k_{0}^{*}:=\left( {{- s_{0}},0,1,\eta_{0},0} \right)_{{??}_{0}^{*}}},{{{for}\mspace{14mu} i} = 1},\ldots\mspace{14mu},L,{{\overset{\rightarrow}{v}}_{i}:=\left( {v_{i}^{n - 1},\ldots\mspace{14mu},v_{i},1} \right)},{{\overset{\rightarrow}{\eta}}_{i}\overset{U}{\leftarrow}{??}_{q}^{2n}}}{{{{if}\mspace{14mu}{\rho(i)}} = {v_{i} \in {??}_{q}^{\times}}},{\theta_{i}\overset{U}{\leftarrow}{??}_{q}},{k_{i}^{*}:=\left( {\overset{\overset{n}{︷}}{{{s_{i}{\overset{\rightarrow}{e}}_{1}} + {\theta_{i}{\overset{\rightarrow}{v}}_{i}}},}\mspace{11mu}\overset{\overset{2n}{︷}}{0^{2n},}\mspace{11mu}\overset{\overset{2n}{︷}}{{\overset{\rightarrow}{\eta}}_{i},}\mspace{11mu}\overset{\overset{n}{︷}}{0^{n}}} \right)_{{??}_{1}^{*}}},{{{if}\mspace{14mu}\rho(i)} = {⫬ v_{i}}},{k_{i}^{*}:=\left( {\overset{\overset{n_{t}}{︷}}{{s_{i}{\overset{\rightarrow}{v}}_{i}},}\mspace{11mu}\overset{\overset{2n}{︷}}{0^{2n},}\mspace{11mu}\overset{\overset{2n}{︷}}{{\overset{\rightarrow}{\eta}}_{i},}\mspace{14mu}\overset{\overset{n}{︷}}{0^{n}}} \right)_{{??}_{1}^{*}}}}{{sk}_{??}:=\left( {{??},k_{0}^{*},k_{1}^{*},\ldots\mspace{14mu},k_{L}^{*}} \right)}{{return}\mspace{14mu}{{sk}_{??}.}}} & \left\lbrack {{Formula}\mspace{14mu} 145} \right\rbrack \end{matrix}$

The function and operation of the encryption device 200 will be described.

As illustrated in FIG. 7, the encryption device 200 includes a public parameter receiving part 210, an information input part 220, an encrypted data generation part 230, and a data transmission part 240. The encrypted data generation part 230 includes a random number generation part 231 and a cipher element generation part 232.

With reference to FIG. 11, the process of the Enc algorithm will be described.

(S301: Public Parameter Receiving Step)

With the communication device and via the network, for example, the public parameter receiving part 210 receives the public parameter pk generated by the key generation device 100.

(S302: Information Input Step)

With the input device, the information input part 220 takes as input a message m to be transmitted to the decryption device 300. With the input device, the information input part 220 also takes as input an attribute set Γ:={x₁, . . . , x_(n)′|x_(j)εF_(q) ^(X), n′≦n−1}. Note that attribute information of a user capable of decryption is set in the attribute set Γ, for example.

(S303: Random Number Generation Step)

With the processing device, the random number generation part 231 generates random numbers, as indicated in Formula 146.

$\begin{matrix} {\omega,\varphi_{0},\varphi_{1},{\zeta\overset{U}{\leftarrow}{??}_{q}}} & \left\lbrack {{For}\;{mula}\mspace{14mu} 146} \right\rbrack \end{matrix}$

(S304: Cipher Element Generation Step)

With the processing device, the cipher element generation part 232 generates an element c₀ of a ciphertext ct_(Γ), as indicated in Formula 147. c ₀:=(ω,0,ζ,0,φ₀)

  [Formula 147]

With the processing device, the cipher element generation part 232 also generates elements C_(1,j) and C_(2,j) of the ciphertext ct_(Γ), as indicated in Formula 148.

for j=1, . . . , 6 C _(1,j) :=ωB _(1,j)+η₁ B _(6,j), C _(2,j):=Σ_(L=1) ^(n) y _(L)(ωB _(1,j,L)′+φ₁ B _(6,j,L)′)  [Formula 148] where {right arrow over (y)}:=(y ₁ , . . . ,y _(n)) such that Σ_(j=0) ^(n-1) y _(n-j) z _(j) =z ^(n-1-n′)·Π_(j=1) ^(n′)(z−x _(j)) With the processing device, the cipher element generation part 232 also generates an element c₃ of the ciphertext ct_(Γ), as indicated in Formula 149. c ₃ :=g _(T) ^(ζ) m  [Formula 149]

(S305: Data Transmission Step)

With the communication device and via the network, for example, the data transmission part 240 transmits the ciphertext ct_(Γ) having, as elements, the attribute set Γ inputted in (S302) and c₀, C_(1,j), C_(2,j), and c₃ generated in (S304) to the decryption device 300. As a matter of course, the ciphertext ct_(Γ) may be transmitted to the decryption device 300 by another method.

In brief, in (S301) through (S304), the encryption device 200 generates the ciphertext ct_(Γ) by executing the Enc algorithm indicated in Formula 150. In (S305), the encryption device 200 transmits the generated ciphertext ct_(Γ) to the decryption device 300.

$\begin{matrix} {{{{{Enc}\left( {{pk},m,{\Gamma = \left\{ {x_{1},\ldots\mspace{14mu},{x_{n^{\prime}}❘{x_{j} \in {??}_{q}^{\times}}},{n^{\prime} \leq {n - 1}}} \right\}}} \right)}\text{:}}\mspace{20mu}{\omega,\varphi_{0},\varphi_{1},{\zeta\overset{U}{\leftarrow}{??}_{q}},{\overset{\rightarrow}{y}:={{\left( {y_{1},\ldots\mspace{14mu},y_{n}} \right)\mspace{14mu}{such}\mspace{14mu}{that}\mspace{14mu}{\sum_{j = 0}^{n - 1}{y_{n - j}z^{j}}}} = {z^{n - 1 - n^{\prime}} \cdot {\prod_{j = 1}^{n^{\prime}}\left( {z - x_{j}} \right)}}}},\mspace{20mu}{c_{0}:=\left( {\omega,0,\zeta,0,\varphi_{0}} \right)_{{??}_{0}}},\mspace{20mu}{C_{1,j}:={{\omega\; B_{1,j}} + {\eta_{1}B_{6j}}}},\mspace{20mu}{C_{2,j}:={\sum_{L = 1}^{n}{y_{L}\left( {{\omega\; B_{1,j,L}^{\prime}} + {\varphi_{1}B_{6,j,L}^{\prime}}} \right)}}}}}\mspace{20mu}{{{{for}\mspace{14mu} j} = 1},\ldots\mspace{14mu},6,\mspace{20mu}{c_{3}:={g_{T}^{\zeta}m}},\mspace{20mu}{{ct}_{\Gamma}:=\left( {\Gamma,c_{0},\left\{ {C_{1,j},C_{2,j}} \right\}_{{j = 1},\ldots\mspace{14mu},6},c_{3}} \right)},\mspace{20mu}{{return}\mspace{14mu}{{ct}_{\Gamma}.}}}} & \left\lbrack {{Formula}\mspace{14mu} 150} \right\rbrack \end{matrix}$

The function and operation of the decryption device 300 will be described.

As illustrated in FIG. 8, the decryption device 300 includes a decryption key receiving part 310, a data receiving part 320, a span program computation part 330, a complementary coefficient computation part 340, and a decryption part 350.

With reference to FIG. 12, the process of the Dec algorithm will be described.

(S401: Decryption Key Receiving Step)

With the communication device and via the network, for example, the decryption key receiving part 310 receives the decryption key sk_(S) transmitted by the key generation device 100. The decryption key receiving part 310 also receives the public parameter pk generated by the key generation device 100.

(S402: Data Receiving Step)

With the communication device and via the network, for example, the data receiving part 320 receives the ciphertext ct_(Γ) transmitted by the encryption device 200.

(S403: Span Program Computation Step)

With the processing device, the span program computation part 330 determines whether or not the access structure S included in the decryption key sk_(S) received in (S401) accepts F included in the ciphertext ct_(Γ) received in (S402). The method for determining whether or not the access structure S accepts Γ is as described in “2. Concept for Implementing Cryptographic Scheme”.

If the access structure S accepts Γ (accept in S403), the span program computation part 330 advances the process to (S404). If the access structure S rejects Γ (reject in S403), the span program computation part 330 determines that the ciphertext ct_(Γ) cannot be decrypted with the decryption key sk_(S), and ends the process.

(S404: Complementary Coefficient Computation Step)

With the processing device, the complementary coefficient computation part 340 computes I and a constant (complementary coefficient) {α_(i)}_(iεI) such that Formula 151 is satisfied.

$\begin{matrix} {\mspace{79mu}{{\overset{->}{1} = {\sum\limits_{i \in I}\;{\alpha_{i}M_{i}}}}\mspace{20mu}{{{where}\mspace{14mu} M_{i}\mspace{14mu}{is}\mspace{14mu}{the}\mspace{14mu} i\text{-}{th}\mspace{14mu}{row}\mspace{14mu}{of}\mspace{14mu} M},\mspace{20mu}{and}}\;{I \subseteq \left\{ {{i \in \left\{ {1,\ldots\mspace{14mu},L} \right\}}❘{\left\lbrack {{\rho(i)} = {{v_{i}\bigwedge v_{i}} \in \Gamma}} \right\rbrack\bigvee\left. \quad\left\lbrack {{\rho(i)} = {⫬ {{v_{i}\bigwedge v_{i}} \notin \Gamma}}} \right\rbrack \right\}}} \right.}}} & \left\lbrack {{Formula}\mspace{14mu} 151} \right\rbrack \end{matrix}$

(S405: Decryption Element Generation Step)

With the processing device, the decryption part 350 generates decryption elements D*₁, . . . , D_(6n), E*_(j), as indicated in Formula 152.

$\begin{matrix} {{\left( {D_{1}^{*},\ldots\mspace{14mu},D_{6n}^{*}} \right):={{\sum\limits_{{i \in {I\bigwedge{\rho{(i)}}}} = v_{i}}\;{\alpha_{i}k_{i}^{*}}} + {\sum\limits_{{i \in {I\bigwedge{\rho{(i)}}}} = {⫬ v_{i}}}{\frac{\alpha_{i}}{{\overset{->}{v}}_{i} \cdot \overset{->}{y}}k_{i}^{*}}}}},\mspace{20mu}{E_{j}^{*}:={{\sum_{L = 1}^{n - 1}{y_{L - 1}D_{{{({j - 1})}n} + L}^{*}\mspace{14mu}{for}\mspace{14mu} j}} = 1}},\ldots\mspace{14mu},6} & \left\lbrack {{Formula}\mspace{14mu} 152} \right\rbrack \end{matrix}$

(S406: Pairing Operation Step)

With the processing device, the decryption part 350 computes Formula 153, and thereby generates a session key K=g_(T) ^(ζ). K:=e(c ₀ ,k ₀*)·Π_(j=1) ⁶(e(C _(1,j) ,E _(j)*)·e(C _(2,j) ,D _(jn)*))  [Formula 153]

(S407: Message Computation Step)

With the processing device, the decryption part 350 computes m′=c₃/K, and thereby generates a message m′(=m).

In brief, in (S401) through (S407), the decryption device 300 generates the message m′(=m) by executing the Dec algorithm indicated in Formula 154.

$\begin{matrix} {\mspace{85mu}{{{{{Dec}\left( {{pk},{{sk}_{??}:=\left( {{??},k_{0}^{*},k_{1}^{*},\ldots\mspace{14mu},k_{L}^{*}} \right)},\mspace{20mu}{{ct}_{\Gamma}:=\left( {\Gamma,c_{0},\left\{ {C_{1,j},C_{2,j}} \right\}_{{j = 1},\ldots\mspace{14mu},6},c_{3}} \right)}} \right)}\text{:}}{{{If}\mspace{14mu}{??}\mspace{14mu}{accepts}\mspace{14mu}\Gamma},{{then}\mspace{14mu}{compute}\mspace{14mu} I\mspace{14mu}{and}\mspace{20mu}\left\{ \alpha_{i} \right\}_{i \in I}\mspace{14mu}{such}\mspace{14mu}{that}},\mspace{20mu}{\overset{->}{1} = {\sum\limits_{i \in I}\;{\alpha_{i}M_{i}}}}}}\mspace{20mu}{{{where}\mspace{14mu} M_{i}\mspace{14mu}{is}\mspace{14mu}{the}\mspace{14mu} i\text{-}{th}\mspace{14mu}{row}\mspace{14mu}{of}\mspace{14mu} M},\mspace{20mu}{and}}\mspace{14mu}{I \subseteq \left\{ {{{{i \in \left\{ {1,\ldots\mspace{14mu},L} \right\}}❘{{\left\lbrack {{\rho(i)} = {{v_{i}\bigwedge v_{i}} \in \Gamma}} \right\rbrack\bigvee\left. \quad\left\lbrack {{\rho(i)} = {⫬ {{v_{i}\bigwedge v_{i}} \notin \Gamma}}} \right\rbrack \right\}}\overset{->}{y}}}:={{\left( {y_{1},\ldots\mspace{14mu},y_{n}} \right)\mspace{14mu}{such}\mspace{14mu}{that}\mspace{14mu}{\sum_{j = 0}^{n - 1}{y_{n - j}z^{j}}}} = {z^{n - 1 - n^{\prime}} \cdot {\prod_{j = 1}^{n^{\prime}}\left( {z - x_{j}} \right)}}}},{\left( {D_{1}^{*},\ldots\mspace{14mu},D_{6n}^{*}} \right):={{\sum\limits_{{i \in {I\bigwedge{\rho{(i)}}}} = v_{i}}\;{\alpha_{i}k_{i}^{*}}} + {\sum\limits_{{i \in {I\bigwedge{\rho{(i)}}}} = {⫬ v_{i}}}{\frac{\alpha_{i}}{{\overset{->}{v}}_{i} \cdot \overset{->}{y}}k_{i}^{*}}}}},\mspace{20mu}{E_{j}^{*}:={{\sum_{L = 1}^{n - 1}{y_{L - 1}D_{{{({j - 1})}n} + L}^{*}\mspace{14mu}{for}\mspace{14mu} j}} = 1}},\ldots\mspace{14mu},6,\mspace{20mu}{K:={{e\left( {c_{0},k_{0}^{*}} \right)} \cdot {\prod_{j = 1}^{6}\left( {{e\left( {C_{1,j},E_{j}^{*}} \right)} \cdot {e\left( {C_{2,j},D_{jn}^{*}} \right)}} \right)}}},\mspace{20mu}{{{return}\mspace{14mu} m^{\prime}}:={c_{3}/{K.}}}} \right.}}} & \left\lbrack {{Formula}\mspace{14mu} 154} \right\rbrack \end{matrix}$

Based on Formula 138, B₁:=(b_(1,1), . . . , b_(1,6n)) is identified by {B_(i,j), B′_(i,j,L)}_(i,j=1, . . . , 6; L=1, . . . , n). {B_(i,j), B′_(i,j,L)}_(i=1,6; j=1, . . . , 6; L=1), . . . , included in the output of the Setup algorithm is identified by B^₁:=(b_(1,1), . . . , b_(1,n), b_(1,5n+1), . . . , b_(1,6n)).

Then, the Dec algorithm can be described as a Dec′ algorithm indicated in Formula 155.

$\begin{matrix} {\mspace{65mu}{{{{{Dec}^{\prime}\left( {{pk},{{sk}_{??}:=\left( {\overset{->}{v},k_{0}^{*},k_{1}^{*},\ldots\mspace{14mu},k_{L}^{*}} \right)},\mspace{20mu}{{ct}_{\Gamma}:=\left( {\Gamma,c_{0},\left\{ {C_{1,j},C_{2,j}} \right\}_{{j = 1},\ldots\mspace{14mu},6},c_{3}} \right)}} \right)}\text{:}}{{{If}\mspace{14mu}{??}\mspace{14mu}{accepts}\mspace{14mu}\Gamma},{{then}\mspace{14mu}{compute}\mspace{14mu} I\mspace{14mu}{and}\mspace{20mu}\left\{ \alpha_{i} \right\}_{i \in I}\mspace{14mu}{such}\mspace{14mu}{that}},\mspace{20mu}{\overset{->}{1} = {\sum\limits_{i \in I}\;{\alpha_{i}M_{i}}}}}}\mspace{20mu}{{{where}\mspace{14mu} M_{i}\mspace{14mu}{is}\mspace{14mu}{the}\mspace{14mu} i\text{-}{th}\mspace{14mu}{row}\mspace{14mu}{of}\mspace{14mu} M},\mspace{20mu}{and}}\mspace{14mu}{I \subseteq \left\{ {{{{i \in \left\{ {1,\ldots\mspace{14mu},L} \right\}}❘{{\left\lbrack {{\rho(i)} = {{v_{i}\bigwedge v_{i}} \in \Gamma}} \right\rbrack\bigvee\left. \quad\left\lbrack {{\rho(i)} = {⫬ {{v_{i}\bigwedge v_{i}} \notin \Gamma}}} \right\rbrack \right\}}\overset{->}{y}}}:={{\left( {y_{1},\ldots\mspace{14mu},y_{n}} \right)\mspace{14mu}{such}\mspace{14mu}{that}\mspace{14mu}{\sum_{j = 0}^{n - 1}{y_{n - j}z^{j}}}} = {z^{n - 1 - n^{\prime}} \cdot {\prod_{j = 1}^{n^{\prime}}\left( {z - x_{j}} \right)}}}},\mspace{20mu}{c_{1} = \begin{pmatrix} \overset{\overset{n}{︷}}{{y_{1}C_{1,1}},\ldots\mspace{14mu},{y_{n - 1}C_{1,1}C_{2,1}},} \\ \overset{\overset{n}{︷}}{{y_{1}C_{1,2}},\ldots\mspace{14mu},{y_{n - 1}C_{1,2}},C_{2,2}} \end{pmatrix}},\mspace{20mu}{\ldots\mspace{14mu}\begin{pmatrix} \overset{\overset{n}{︷}}{{y_{1}C_{1,5}},\ldots\mspace{14mu},{y_{n - 1}C_{1,5}C_{2,5}},} \\ \overset{\overset{n}{︷}}{{y_{1}C_{1,6}},\ldots\mspace{14mu},{y_{n - 1}C_{1,6}},C_{2,6}} \end{pmatrix}},\mspace{20mu}{{that}\mspace{14mu}{is}},{c_{1} = \left( {{\overset{\overset{n}{︷}}{{\omega\;\overset{->}{y}},}\overset{\overset{2n}{︷}}{0^{2n}}},\overset{\overset{2n}{︷}}{0^{2n}},\overset{\overset{n}{︷}}{\varphi_{1}\overset{->}{y}}} \right)_{{??}_{1}}},\;{K:={{e\left( {c_{0},k_{0}^{*}} \right)} \cdot {e\left( {c_{1},{{\sum\limits_{{i \in {I\bigwedge{\rho{(i)}}}} = v_{i}}\;{\alpha_{i}k_{i}^{*}}} + {\sum\limits_{{i \in {I\bigwedge{\rho{(i)}}}} = {⫬ v_{i}}}{\frac{\alpha_{i}}{{\overset{->}{v}}_{i} \cdot \overset{->}{y}}k_{i}^{*}}}}} \right)}}},\mspace{20mu}{{{return}\mspace{14mu} m^{\prime}}:={c_{3}/{K.}}}} \right.}}} & \left\lbrack {{Formula}\mspace{14mu} 155} \right\rbrack \end{matrix}$

As indicated in Formula 156, when the Dec′ algorithm is employed, K:=g^(ζ) _(T) is obtained. Therefore, the message m′ (=m) can be obtained by dividing c₃=g^(ζ) _(T)m by K.

$\begin{matrix} {{{e\left( {c_{0},k_{0}^{*}} \right)} \cdot {\prod\limits_{{i \in {I\bigwedge{\rho{(i)}}}} = v_{i}}\;{{e\left( {c_{1},k_{i}^{*}} \right)}^{\alpha_{i}} \cdot {\prod\limits_{{i \in {I\bigwedge{\rho{(i)}}}} = {⫬ v_{i}}}{e\left( {c_{1},k_{i}^{*}} \right)}^{\alpha_{i}/{({{\overset{\rightarrow}{v}}_{i} \cdot \overset{\rightarrow}{y}})}}}}}} = {{g_{T}^{{{- \omega}\; s_{0}} + \zeta}{\prod\limits_{{i \in {I\bigwedge{\rho{(i)}}}} = v_{i}}\;{g_{T}^{{\omega\alpha}_{i}s_{i}}{\prod\limits_{{i \in {I\bigwedge{\rho{(i)}}}} = {⫬ v_{i}}}g_{T}^{{\omega\alpha}_{i}{{s_{i}{({{\overset{\rightarrow}{v}}_{i} \cdot \overset{\rightarrow}{y}})}}/{({{\overset{\rightarrow}{v}}_{i} \cdot \overset{\rightarrow}{y}})}}}}}}} = {g_{T}^{{\omega{({{- s_{0}} + {\sum\limits_{i \in I}\;{\alpha_{i}s_{i}}}})}} + \zeta} = {g_{T}^{\zeta}.}}}} & \left\lbrack {{Formula}\mspace{14mu} 156} \right\rbrack \end{matrix}$

In the KP-ABE scheme described in Embodiment 1, the ciphertext ct_(Γ) consists of a total of 17 elements of G, which are five elements in the element c₀, and 12 elements in the element C_(1,j) and the element C_(2j) for each integer j=1, . . . , 6, as well as one element of G_(T) in the element c₃. That is, the ciphertext ct_(Γ) is constant-size in n.

In the KP-ABE scheme described in Embodiment 1, the decryption process (Dec algorithm) executes only a total of 17 pairing operations, which are five operations in e(c₀, k*₀) indicated in Formula 153 and 12 operations in Π_(j=1) ⁶(e(C_(1,j), E*_(j))·e(C_(2,j), D*_(jn))). That is, the number of pairing operations required for the decryption process is small.

Embodiment 2

In Embodiment 2, a ciphertext-policy ABE (CP-ABE) scheme with a constant-size secret key will be described.

In Embodiment 2, description will be omitted for what is the same as in Embodiment 1, and differences from Embodiment 1 will be described.

First, a basic structure of a cryptographic scheme according to Embodiment 2 will be described.

Second, a configuration of a cryptographic system 10 that implements the cryptographic scheme according to Embodiment 2 will be described.

Third, the cryptographic scheme according to Embodiment 2 will be described in detail.

<1. Basic Structure of Cryptographic Scheme>

The structure of the CP-ABE scheme will be briefly described. Ciphertext-policy signifies that a policy, namely an access structure, is embedded in a ciphertext.

The CP-ABE scheme includes four algorithms: Setup, KeyGen, Enc, and Dec.

(Setup)

A Setup algorithm is a probabilistic algorithm that takes as input a security parameter λ and an upper limit n for of the number of attributes for a ciphertext, and outputs a public parameter pk and a master key sk.

(KeyGen)

A KeyGen algorithm is a probabilistic algorithm that takes as input the public parameter pk, the master key sk, and an attribute set Γ:={x_(j)}_(1≦j≦n′), and outputs a decryption key sk_(Γ).

(Enc)

An Enc algorithm is a probabilistic algorithm that takes as input the public parameter pk, a message m, and an access structure S:=(M, ρ), and outputs a ciphertext ct_(S).

(Dec)

A Dec algorithm is an algorithm that takes as input the public parameter pk, the decryption key sk_(Γ), and the ciphertext ct_(S), and outputs the message m or a distinguished symbol ⊥.

<2. Configuration of Cryptographic System 10 that Implements CP-ABE Scheme>

FIG. 13 is a configuration diagram of the cryptographic system 10 that implements the CP-ABE scheme according to Embodiment 2.

The cryptographic system 10 includes a key generation device 100, an encryption device 200 (an example of the transmission device), and a decryption device 300 (an example of the reception device).

The key generation device 100 executes the Setup algorithm taking as input a security parameter λ and an upper limit n for the number of attributes for a ciphertext, and thereby generates a public parameter pk and a master key sk. Then, the key generation device 100 publishes the generated public parameter pk. The key generation device 100 also executes the KeyGen algorithm taking as input an attribute set Γ, thereby generates a decryption key sk_(Γ), and transmits the decryption key sk_(Γ) to the decryption device 300 in secrecy.

The encryption device 200 executes the Enc algorithm taking as input the public parameter pk, a message m, and an access structure S, and thereby generates a ciphertext ct_(S). The encryption device 200 transmits the generated ciphertext ct_(S) to the decryption device 300.

The decryption device 300 executes the Dec algorithm taking as input the public parameter pk, the decryption key sk_(Γ), and the ciphertext ct_(S), and outputs the message m or a distinguished symbol ⊥.

<3. Cryptographic Scheme>

FIG. 14 is a configuration diagram of the key generation device 100 according to Embodiment 2. FIG. 15 is a configuration diagram of the encryption device 200 according to Embodiment 2. The configuration of the decryption device 300 is the same as the configuration of the decryption device 300 according to Embodiment 1 illustrated in FIG. 8.

FIG. 16 is a flowchart illustrating the process of the KeyGen algorithm according to Embodiment 2. FIG. 17 is a flowchart illustrating the process of the Enc algorithm according to Embodiment 2. The process of the Setup algorithm and the process of the Dec algorithm have the same flow as that of the process of the Setup algorithm and the process of the Dec algorithm according to Embodiment 1 indicated in FIG. 9 and FIG. 12, respectively.

The function and operation of the key generation device 100 will be described.

As illustrated in FIG. 14, the key generation device 100 includes a master key generation part 110, a master key storage part 120, an information input part 130, a decryption key generation part 140, and a key transmission part 150. The master key generation part 110 includes a space generation part 111, a matrix generation part 112, a basis generation part 113, and a key generation part 114. The decryption key generation part 140 includes a random number generation part 143 and a key element generation part 144.

With reference to FIG. 9, the process of the Setup algorithm will be described.

The process of (S101) through (S102) is the same as that in Embodiment 1.

(S103: Basis B Generation Step)

With the processing device, the basis generation part 113 generates a basis Do, a variable D_(i,j), and a variable D′_(i,j,L), as indicated in Formula 157, similarly to the basis B₀, the variable B_(i,j), and the variable B′_(i,j,L) in Embodiment 1. b _(0,i):=(χ_(0,i,1), . . . ,χ_(0,i,5)

=Σ_(j=1) ⁵χ_(0,i,j) a _(j) for i=1, . . . 5,

₀:=(b _(0,1) , . . . ,b _(0,5)), D _(i,j):=μ_(i,j) g,D _(i,j,L)′:=μ_(i,j,L) ′g for i,j=1, . . . ,6;L=1, . . . ,n  [Formula 157]

With the processing device, the basis generation part 113 also generates a basis D*₀ and a basis D*₁, as indicated in Formula 158, similarly to the basis B*₀ and the basis B*₁ in Embodiment 1.

for t=0, 1 (θ_(t,i,j))_(i,j=1, . . . ,N) _(t) :=ψ·(X _(t) ^(T))⁻¹, b* _(t,i):=(θ_(t,i,1), . . . ,θ_(t,i,N) _(t)

=Σ_(j=1) ^(N) ^(t) θ_(t,i,j) a _(j) for i=1, . . . N _(t),

*_(t):=(b* _(t,1) , . . . ,b _(t,N) _(t) *)  [Formula 158]

Then, the basis generation part 113 sets the basis D*₀ as a basis B₀, the basis D₀ as a basis B*₀, and the basis D*₁ as a basis B₁. The basis generation part 113 also sets the variable D_(i,j) as a variable B*_(i,j) and the variable D′_(i,j,L) as a variable B′*_(i,j,L) for each integer i, j=1, . . . , 6 and each integer L=1, . . . , n.

(S104: Basis B^ Generation Step)

With the processing device, the key generation part 114 generates a basis B^₀, a basis B^₁, a basis B^*₀, and a basis B^*₁, as indicated in Formula 159.

₀:=(b _(0,1) ,b _(0,3) ,b _(0,4)),

₁=(b _(1,1) , . . . ,b _(1,n) ,b _(1,3n+1) , . . . ,b _(1,5n)),

₀*:=(b _(0,1) *,b _(0,3) *,b _(0,5)*),

₁*:=(b _(1,1,) . . . ,b _(1,n) *,b _(1,5n+1) *, . . . ,b _(1,6n)*)={D _(i,j) ,D _(i,j,L)}_(i=1,6;j=1, . . . ,6;L=1, . . . ,n)  [Formula 159]

The process of (S105) is the same as that in Embodiment 1.

In brief, in (S101) through (S105), the key generation device 100 generates the public parameter pk and the master secret key sk by executing the Setup algorithm indicated in Formula 161, the Setup algorithm using an algorithm G^(ABE(2)) _(ob) indicated in Formula 160. Note that the algorithm G^(CP-ABE(2)) _(ob) uses the algorithm G^(ABE(1)) _(ob) indicated in Formula 136, as indicated in Formula 160.

$\begin{matrix} {\mspace{79mu}{{{{??}_{ob}^{{ABE}{(2)}}\left( {1^{\lambda},6,n} \right)}\text{:}}\mspace{20mu}{{\left( {{param}_{n},{??}_{0},{??}_{0}^{*},\left\{ {D_{i,j},D_{i,j,L}^{\prime}} \right\}_{i,{j = 1},\ldots\mspace{14mu},{6;{L = 1}},\ldots\mspace{14mu},n},{??}_{1}^{*}} \right)\overset{R}{\leftarrow}{{??}_{ob}^{(1)}\left( {1^{\lambda},6,n} \right)}},{{??}_{0}:={??}_{0}^{*}},{{??}_{0}^{*}:={??}_{0}},{{??}_{1}:={??}_{1}^{*}},{{??}_{i,j}^{*}:=D_{i,j}},{B_{i,j,L}^{\prime*} = D_{i,j,L}^{\prime}}}\mspace{79mu}{{{for}\mspace{14mu} i},{j = 1},\ldots\mspace{14mu},{6;{L = 1}},\ldots,n,\mspace{20mu}{{return}\mspace{14mu}{\left( {{param}_{n},{??}_{0},\mspace{20mu}{??}_{0}^{*},{??}_{1},\left\{ {B_{i,j}^{*},B_{i,j,L}^{\prime*}} \right\}_{i,{j = 1},\ldots\mspace{14mu},{6;{L = 1}},\ldots\mspace{14mu},n}} \right).}}}}} & \left\lbrack {{Formula}\mspace{14mu} 160} \right\rbrack \\ {\mspace{79mu}{{{{Setup}\left( {1^{\lambda},n} \right)}\text{:}}{{\left( {{param}_{n},{??}_{0},{??}_{0}^{*},{??}_{1},\left\{ {B_{i,j}^{*},B_{i,j,L}^{\prime*}} \right\}_{i,{j = 1},\ldots\mspace{14mu},{6;{L = 1}},\ldots\mspace{14mu},n}} \right)\overset{R}{\leftarrow}{{??}_{ob}^{{ABE}{(2)}}\left( {1^{\lambda},6,n} \right)}},\mspace{20mu}{{\hat{??}}_{0}:=\left( {b_{0,1}b_{0,3}b_{0,4}} \right)},\mspace{20mu}{{\hat{??}}_{1}:=\left( {b_{1,1},\ldots\mspace{14mu},b_{1,n},b_{1,3,{n + 1}},\ldots\mspace{14mu},b_{1,{5n}}} \right)},\mspace{20mu}{{\hat{??}}_{0}^{*}:=\left( {b_{0,1}^{*},b_{0,3}^{*},b_{0,5}^{*}} \right)},{{\hat{??}}_{1}^{*}:={\left( {b_{1,1}^{*},\ldots\mspace{14mu},b_{1,n}^{*},b_{1,{{5n} + 1}}^{*},\ldots\mspace{14mu},b_{1,{6n}}^{*}} \right) = \left\{ {B_{i,j}^{*},B_{i,j,L}^{\prime*}} \right\}_{{i = 1},{6;{j = 1}},\ldots\mspace{14mu},{6;{L = 1}},\ldots\mspace{14mu},n}}},\mspace{20mu}{{pk}:=\left( {1^{\lambda},{param}_{n},\left\{ {\hat{??}}_{t} \right\}_{{t = 0},1}} \right)},{{sk}:=\left\{ {\hat{??}}_{t}^{*} \right\}_{{t = 0},1}},\mspace{20mu}{{return}\mspace{14mu}{pk}},{{sk}.}}}} & \left\lbrack {{Formula}\mspace{14mu} 161} \right\rbrack \end{matrix}$

The public parameter is published via the network, for example, and is made available for the encryption device 200 and the decryption device 300.

With reference to FIG. 16, the process of the KeyGen algorithm will be described.

(S501: Information Input Step)

With the input device, the information input part 130 takes as input an attribute set Γ:={x₁, . . . , x_(n′)|x_(j)εFq^(X), n′≦n−1}. Note that attribute information of a user of a decryption key sk_(Γ) is set in the attribute set Γ, for example.

(S502: Random Number Generation Step)

With the processing device, the random number generation part 143 generates random numbers, as indicated in Formula 162.

$\begin{matrix} {\omega,\varphi_{0},{\varphi_{1}\overset{U}{\leftarrow}{??}_{q}}} & \left\lbrack {{Formula}\mspace{14mu} 162} \right\rbrack \end{matrix}$

(S503: Key Element Generation Step)

With the processing device, the key element generation part 144 generates an element k*₀ of the decryption key sk_(Γ), as indicated in Formula 163. k ₀*:=

  [Formula 163]

With the processing device, the key element generation part 144 also generates elements K*_(1,j) and K*_(2,j) of the decryption key sk_(Γ), as indicated in Formula 164.

for j=1, . . . , 6 ωB _(1,j)*+φ₁ B _(6,j)*, K _(2,j):=Σ_(L=1) ^(n) y _(L)(ωB _(1,j,L)′*+φ₁ B _(6,j,L)′*)  [Formula 164] where {right arrow over (y)}:=(y ₁ , . . . ,y _(n)) such that Σ_(j=0) ^(n-1) y _(n-j) z ^(j) =z ^(n-1-n)′·Π_(j=1) ^(n)′(z−x _(j))

(S504: Key Transmission Step)

With the communication device and via the network, for example, the key transmission part 150 transmits the decryption key sk_(Γ) having, as elements, the attribute set Γ inputted in (S501) and k*₀, K*_(i,j), and K*_(2,j) generated in (S503) to the decryption device 300 in secrecy. As a matter of course, the decryption key sk_(Γ) may be transmitted to the decryption device 300 by another method.

In brief, in (S501) through (S503), the key generation device 100 generates the decryption key sk_(Γ) by executing the KeyGen algorithm indicated in Formula 165. In (S504), the key generation device 100 transmits the generated decryption key sk_(Γ) to the decryption device 300.

$\begin{matrix} {{{{{KeyGen}\left( {{pk},{sk},{\Gamma = \left\{ {x_{1},\ldots\mspace{14mu},{x_{n}^{\prime}❘{x_{j} \in {??}_{q}^{\times}}},{n^{\prime} \leq {n - 1}}} \right\}}} \right)}\text{:}}\mspace{20mu}{\omega,\varphi_{0},{\varphi_{1}\overset{U}{\leftarrow}{??}_{q}},{\overset{->}{y}:={{\left( {y_{1},\ldots\mspace{14mu},y_{n}} \right)\mspace{14mu}{such}\mspace{14mu}{that}\mspace{14mu}{\sum_{j = 0}^{n - 1}{y_{n - j}z^{j}}}} = {z^{n - 1 - n^{\prime}} \cdot {\prod_{j = 1}^{n^{\prime}}\left( {z - x_{j}} \right)}}}},\mspace{20mu}{k_{0}^{*}:=\left( {\omega,0,1,0,\varphi_{0}} \right)_{{??}_{0}^{*}}},\mspace{20mu}{K_{1,j}:={{\omega\; B_{1,j}^{*}} + {\varphi_{1}B_{6,j}^{*}}}},\mspace{20mu}{K_{2,j}:={\sum_{L = 1}^{n}{y_{L}\left( {{\omega\; B_{i,j,L}^{\prime*}} + {\varphi_{1}B_{6,j,L}^{\prime*}}} \right)}}}}}\mspace{20mu}{{{{for}\mspace{14mu} j} = 1},\ldots\mspace{14mu},6,\mspace{20mu}{{sk}_{\Gamma}:=\left( {\Gamma,k_{0}^{*},\left\{ {K_{1,j},K_{2,j}} \right\}_{{j = 1},\ldots\mspace{14mu},6}} \right)},\mspace{20mu}{{return}\mspace{14mu}{{sk}_{\Gamma}.}}}} & \left\lbrack {{Formula}\mspace{14mu} 165} \right\rbrack \end{matrix}$

The function and operation of the encryption device 200 will be described.

As illustrated in FIG. 15, the encryption device 200 includes a public parameter receiving part 210, an information input part 220, an encrypted data generation part 230, and a data transmission part 240. The encrypted data generation part 230 includes a random number generation part 231, a cipher element generation part 232, an f vector generation part 233, and an s vector generation part 234.

With reference to FIG. 17, the process of the Enc algorithm will be described.

The process of (S601) is the same as the process of (S301) indicated in FIG. 11.

(S602: Information Input Step)

With the input device, the information input part 220 takes as input an access structure S:=(M, ρ). Note that the access structure S is to be set according to the conditions of a system to be implemented. Note also that attribute information of a user capable of decryption is set in p of the access structure S, for example.

With the input device, the information input part 220 also takes as input a message m to be transmitted to the decryption device 300.

(S603: f Vector Generation Step)

With the processing device, the f vector generation part 233 randomly generates a vector {right arrow over (f)}, as indicated in Formula 166.

$\begin{matrix} {\overset{->}{f}\overset{U}{\leftarrow}{??}_{q}^{r}} & \left\lbrack {{Formula}\mspace{14mu} 166} \right\rbrack \end{matrix}$

(S604: s Vector Generation Step)

With the processing device, the s vector generation part 234 generates a vector {right arrow over (s)}^(T):=(s₁, . . . ,s_(L))^(T), as indicated in Formula 167. {right arrow over (s)} ^(T):=(s ₁ , . . . ,s _(L))^(T) :=M·{right arrow over (f)} ^(T)  [Formula 167]

With the processing device, the s vector generation part 234 also generates a value s₀, as indicated in Formula 168. s ₀:={right arrow over (1)}·{right arrow over (f)} ^(T)  [Formula 168]

(S605: Random Number Generation Step)

With the processing device, the random number generation part 231 generates random numbers, as indicated in Formula 169.

$\begin{matrix} {\eta_{0},{\zeta\overset{U}{\leftarrow}{??}_{q}},{{{\overset{->}{\eta}}_{i}\overset{U}{\leftarrow}{{??}_{q}^{2n}\mspace{14mu}{for}\mspace{14mu} i}} = 1},\ldots\mspace{14mu},L,{{\theta_{i}\overset{U}{\leftarrow}{{??}_{q}\mspace{14mu}{for}\mspace{14mu} i}} = 1},\ldots\mspace{14mu},L} & \left\lbrack {{Formula}\mspace{14mu} 169} \right\rbrack \end{matrix}$

(S606: Cipher Element Generation Step)

With the processing device, the cipher element generation part 232 generates an element c₀ of a ciphertext ct_(S), as indicated in Formula 170. c ₀:=(−s ₀,0,ζ,η₀,0)

  [Formula 170]

With the processing device, the cipher element generation part 232 also generates an element c_(i) of the ciphertext ct_(S) for each integer i=1, . . . , L, as indicated in Formula 171.

$\begin{matrix} {{{{for}\mspace{14mu} i} = 1},\ldots\mspace{14mu},L,{{\overset{->}{v}}_{i}:=\left( {v_{i}^{n - 1},\ldots\mspace{14mu},v_{i},1} \right)},{{{if}\mspace{14mu}{\rho(i)}} = v_{i}},{c_{i}:=\left( {\overset{\overset{n}{︷}}{{{s_{i}{\overset{->}{e}}_{t,1}} + {\theta_{i}{\overset{->}{v}}_{i}}},}\overset{\overset{2n}{︷}}{0^{2n},}\;\overset{\overset{2n}{︷}}{{\overset{->}{\eta}}_{i},}\overset{\overset{n}{︷}}{0^{n}}} \right)_{{??}_{1}}},{{{if}\mspace{14mu}{\rho(i)}} = {⫬ v_{i}}},{c_{i}:=\left( {\overset{\overset{n_{t}}{︷}}{{s_{i}{\overset{\rightarrow}{v}}_{i}},}\mspace{11mu}\overset{\overset{2n}{︷}}{0^{2n},}\overset{\overset{2n}{︷}}{{\overset{->}{\eta}}_{i},}\overset{\overset{n}{︷}}{0^{n}}} \right)_{{??}_{1}}}} & \left\lbrack {{Formula}\mspace{14mu} 171} \right\rbrack \end{matrix}$

With the processing device, the cipher element generation part 232 also generates an element c₃ of the ciphertext ct_(S), as indicated in Formula 172. c ₃ :=g _(T) ^(ζ) m  [Formula 172]

(S607: Data Transmission Step)

With the communication device and via the network, for example, the data transmission part 240 transmits the ciphertext ct_(S) having, as elements, the access structure S inputted in (S602) and c₀, c₁, . . . , c_(L), and c₃ generated in (S606) to the decryption device 300. As a matter of course, the ciphertext ct_(S) may be transmitted to the decryption device 300 by another method.

In brief, in (S601) through (S606), the encryption device 200 generates the ciphertext ct_(S) by executing the Enc algorithm indicated in Formula 173. In (S607), the encryption device 200 transmits the generated ciphertext ct_(S) to the decryption device 300.

$\begin{matrix} {{{{Enc}\left( {{pk},m,{{??} = \left( {M,\rho} \right)}} \right)}\text{:}}{{\overset{\rightarrow}{f}\overset{U}{\leftarrow}{??}_{q}^{r}},{{\overset{\rightarrow}{s}}^{T}:={\left( {s_{1},\ldots\mspace{14mu},s_{L}} \right)^{T}:={M \cdot {\overset{\rightarrow}{f}}^{T}}}},{s_{0}:={\overset{\rightarrow}{1} \cdot {\overset{\rightarrow}{f}}^{T}}},\eta_{0},{\zeta\overset{U}{\leftarrow}{??}_{q}},{c_{0}:=\left( {{- s_{0}},0,\zeta,\eta_{0},0} \right)_{{??}_{0}}},{{{for}\mspace{14mu} i} = 1},\ldots\mspace{14mu},L,{{\overset{\rightarrow}{v}}_{i}:=\left( {v_{i}^{n - 1},\ldots\mspace{14mu},v_{i},1} \right)},{{\overset{->}{\eta}}_{i}\overset{U}{\leftarrow}{??}_{q}^{2n}}}{{{{if}\mspace{14mu}{\rho(i)}} = {v_{i} \in {??}_{q}^{\times}}},{\theta_{i}\overset{U}{\leftarrow}{??}_{q}}}{{c_{i}:=\left( {\overset{\overset{n}{︷}}{{{s_{i}{\overset{->}{e}}_{t,1}} + {\theta_{i}{\overset{->}{v}}_{i}}},}\overset{\overset{2n}{︷}}{0^{2n},}\;\overset{\overset{2n}{︷}}{{\overset{->}{\eta}}_{i},}\overset{\overset{n}{︷}}{0^{n}}} \right)_{{??}_{1}}},{{{if}\mspace{14mu}{\rho(i)}} = {⫬ v_{i}}},{c_{i}:=\left( {\overset{\overset{n_{t}}{︷}}{{s_{i}{\overset{\rightarrow}{v}}_{i}},}\mspace{11mu}\overset{\overset{2n}{︷}}{0^{2n},}\overset{\overset{2n}{︷}}{{\overset{->}{\eta}}_{i},}\overset{\overset{n}{︷}}{0^{n}}} \right)_{{??}_{1}}},{c_{3}:={g_{T}^{\zeta}m}},{{ct}_{??}:=\left( {{??},c_{0},c_{1},\ldots\mspace{14mu},c_{L},c_{3}} \right)},{{return}\mspace{14mu}{{ct}_{??}.}}}} & \left\lbrack {{Formula}\mspace{14mu} 173} \right\rbrack \end{matrix}$

The function and operation of the decryption device 300 will be described.

With reference to FIG. 12, the process of the Dec algorithm will be described.

(S401: Decryption Key Receiving Step)

With the communication device and via the network, for example, the decryption key receiving part 310 receives the decryption key sk_(Γ) transmitted by the key generation device 100. The decryption key receiving part 310 also receives the public parameter pk generated by the key generation device 100.

(S402: Data Receiving Step)

With the communication device and via the network, for example, the data receiving part 320 receives the ciphertext ct_(S) transmitted by the encryption device 200.

(S403: Span Program Computation Step)

With the processing device, the span program computation part 330 determines whether or not the access structure S included in the ciphertext ct_(S) received in (S402) accepts Γ included in the decryption key sk_(r) received in (S401).

If the access structure S accepts Γ (accept in S403), the span program computation part 330 advances the process to (S404). If the access structure S rejects Γ (reject in S403), the span program computation part 330 determines that the ciphertext ct_(Γ) cannot be decrypted with the decryption key sk_(S), and ends the process.

The process of (S404) is the same as that in Embodiment 1.

(S405: Decryption Element Generation Step)

With the processing device, the decryption part 350 generates cipher elements D₁, . . . , D*_(6n), and E*_(j), as indicated in Formula 174.

$\begin{matrix} {{\left( {D_{1}^{*},\ldots\mspace{14mu},D_{6n}^{*}} \right):={{\sum\limits_{{i \in {I\bigwedge{\rho{(i)}}}} = v_{i}}\;{\alpha_{i}c_{i}}} + {\sum\limits_{{i \in {I\bigwedge{\rho{(i)}}}} = {⫬ v_{i}}}{\frac{\alpha_{i}}{{\overset{->}{v}}_{i} \cdot \overset{->}{y}}c_{i}}}}},\mspace{20mu}{E_{j}^{*}:={{\sum_{L = 1}^{n - 1}{y_{L - 1}D_{{{({j - 1})}n} + L}^{*}\mspace{14mu}{for}\mspace{14mu} j}} = 1}},\ldots\mspace{14mu},6} & \left\lbrack {{Formula}\mspace{14mu} 174} \right\rbrack \end{matrix}$

(S406: Pairing Operation Step)

With the processing device, the decryption part 350 computes Formula 175, and thereby generates a session key K=g_(T) ^(ζ). K:=e(c ₀ ,k ₀*)·Π_(j=1) ⁶(e(E _(j) *,K _(1,j))·e(D _(jn) *,K _(2,j)))  [Formula 175]

The process of (S407) is the same as that in Embodiment 1.

In brief, in (S401) through (S407), the decryption device 300 generates the message m′(=m) by executing the Dec algorithm indicated in Formula 176.

$\begin{matrix} {\mspace{79mu}{{{{{Dec}\left( {{pk},{{sk}_{\Gamma}:=\left( {\Gamma,k_{0}^{*},\left\{ {K_{1,j},K_{2,j}} \right\}_{{j = 1},\ldots\mspace{14mu},6}} \right)},\mspace{20mu}{{ct}_{??}:=\left( {{??},c_{0},c_{1},\ldots\mspace{14mu},c_{L},c_{3}} \right)}} \right)}:\mspace{20mu}{{If}\mspace{14mu}{??}\mspace{14mu}{accepts}\mspace{14mu}\Gamma}},\mspace{20mu}{{then}\mspace{14mu}{compute}\mspace{14mu} I\mspace{14mu}{and}\mspace{14mu}\left\{ \alpha_{i} \right\}_{i \in I}\mspace{14mu}{such}\mspace{14mu}{that}},\mspace{20mu}{\overset{->}{1} = {\sum\limits_{i \in I}\;{\alpha_{i}M_{i}}}}}\mspace{20mu}{{{where}\mspace{14mu} M_{i}\mspace{14mu}{is}\mspace{14mu}{the}\mspace{14mu} i\text{-}{th}\mspace{14mu}{row}\mspace{14mu}{of}\mspace{14mu} M},\mspace{20mu}{and}}{I \subseteq \left\{ {{{{i \in \left\{ {1,\ldots\mspace{14mu},L} \right\}}❘{{\left\lbrack {{\rho(i)} = {{v_{i}\bigwedge v_{i}} \in \Gamma}} \right\rbrack\bigvee\left. \quad\left\lbrack {{\rho(i)} = {⫬ {{v_{i}\bigwedge v_{i}} \notin \Gamma}}} \right\rbrack \right\}}\overset{->}{y}}}:={{\left( {y_{1},\ldots\mspace{14mu},y_{n}} \right)\mspace{14mu}{such}\mspace{14mu}{that}\mspace{14mu}{\sum_{j = 0}^{n - 1}{y_{n - j}z^{j}}}} = {z^{n - 1 - n^{\prime}} \cdot {\prod_{j = 1}^{n^{\prime}}\left( {z - x_{j}} \right)}}}},{\left( {D_{1}^{*},\ldots\mspace{14mu},D_{6n}^{*}} \right):={{\sum\limits_{{i \in {I\bigwedge{\rho{(i)}}}} = v_{i}}\;{\alpha_{i}c_{i}}} + {\sum\limits_{{i \in {I\bigwedge{\rho{(i)}}}} = {⫬ v_{i}}}{\frac{\alpha_{i}}{{\overset{->}{v}}_{i} \cdot \overset{->}{y}}c_{i}}}}},\mspace{20mu}{E_{j}^{*}:={{\sum_{L = 1}^{n - 1}{y_{L - 1}D_{{{({j - 1})}n} + L}^{*}\mspace{14mu}{for}\mspace{14mu} j}} = 1}},\ldots\mspace{14mu},{{6\mspace{20mu} K}:={{e\left( {c_{0},k_{0}^{*}} \right)} \cdot {\prod_{j = 1}^{6}\left( {{e\left( {E_{j}^{*},K_{1,j}} \right)} \cdot {e\left( {D_{jn}^{*},K_{2,j}} \right)}} \right)}}},\mspace{20mu}{{{return}\mspace{14mu} m^{\prime}}:={c_{3}/{K.}}}} \right.}}} & \left\lbrack {{Formula}\mspace{14mu} 176} \right\rbrack \end{matrix}$

In the CP-ABE scheme described in Embodiment 2, the decryption key sk_(Γ) consists of a total of 17 elements of G, which are five elements in the element k₀, and 12 elements in the element C_(1,j) and the element C_(2,j) for each integer j=1, . . . , 6. That is, the decryption key sk_(Γ) is constant-size in n.

In the CP-ABE scheme described in Embodiment 2, the decryption process (Dec algorithm) executes only a total of 17 pairing operations, similarly as in the KP-ABE scheme described in Embodiment 1. That is, the number of pairing operations required for the decryption process is small.

Embodiment 3

In Embodiment 3, an FE scheme to which the ABE scheme described in Embodiment 1 or 2 is applied will be described.

In Embodiment 3, description will be omitted for what is the same as in Embodiment 1 or 2, and differences from Embodiment 1 or 2 will be described.

A KP-FE scheme to which the KP-ABE scheme described in Embodiment 1 is applied will be described herein.

In the KP-ABE scheme described in Embodiment 1, the elements (C_(1,j), C_(2,j)) of the ciphertext are associated with the elements {k*_(i)}_(i=1, . . . , L) of the decryption key. In the KP-FE scheme, elements (C_(1,j,t), C_(2,j,t)) of a ciphertext and elements {k*_(i,t)}_(i=1, . . . , L) of a decryption key are generated for each category t. Then, the elements (C_(1,j,t), C_(2,j,t)) of the ciphertext are associated with the elements {k*_(i,t)}_(i=1, . . . , L) of the decryption key.

The configurations of a key generation device 100, an encryption device 200, and a decryption device 300 are the same as the configurations of the key generation device 100, the encryption device 200, and the decryption device 300 according to Embodiment 1 illustrated in FIG. 6 to FIG. 8, respectively.

The process of each algorithm has the same flow as that of the process of each algorithm according to Embodiment 1 illustrated in FIG. 9 to FIG. 12.

With reference to FIG. 9, the process of the Setup algorithm will be described.

(S101: Space Generation Step)

The space generation part 111 generates a parameter param_(G):=(q, G, G_(T), g, e), similarly as in Embodiment 1.

Further, the space generation part 111 sets N₀:=5 and N_(1,t):=6n_(t) for each integer t=1, . . . , d, where d is the value representing the number of attribute categories and an integer of 1 or greater, and n_(t) is an integer of 1 or greater. Then, with the processing device, the space generation part 111 executes G_(dpvs) taking as input a security parameter 1^(λ), N₀, and the parameter param_(G) of symmetric bilinear pairing groups, and thereby generates a parameter param v₀:=(q, V₀, G_(T), A, e) of dual pairing vector spaces. With the processing device, the space generation part 111 also executes G_(dpvs) taking as input the security parameter 1^(λ), N_(1,t), and the parameter param_(G) of symmetric bilinear pairing groups for each integer t=1, . . . , d, and thereby generates a parameter param_(V1,t):=(q, V_(1,t), G_(T), A, e) of dual pairing vector spaces.

(S102: Linear Transformation Generation Step)

With the processing device, the matrix generation part 112 generates a linear transformation X₀ and a linear transformation {X_(1,t)}_(t=1, . . . , d).

The linear transformation X₀ is the same as that in Embodiment 1. The linear transformation {X_(1,t)}_(t−1, . . . , d) is generated as indicated in Formula 177.

$\begin{matrix} {{{X_{1,t}\overset{U}{\leftarrow}{{\mathcal{L}\left( {6,n_{t},{??}_{q}} \right)}\mspace{14mu}{for}\mspace{14mu} t}} = 1},\ldots\mspace{14mu},d} & \left\lbrack {{Formula}\mspace{14mu} 177} \right\rbrack \end{matrix}$

In the following, {μ_(i,j,t), μ′_(i,j,L,t)}_(i,j=1, . . . , 6; L=1, . . . , n) denotes non-zero elements in the linear transformation X_(1,t).

(S103: Basis B Generation Step)

With the processing device, the basis generation part 113 generates a basis B₀, a variable B_(i,j,t), and a variable B′_(i,j,L,t), as indicated in Formula 178.

$\begin{matrix} {{b_{0,i}:={\left( {\chi_{0,i,1,\;\ldots\;,}\chi_{0,i,5}} \right)_{??} = {\sum_{j = 1}^{5}{\chi_{0,i,j}a_{j}}}}}{{{{for}\mspace{14mu} i} = 1},\ldots\mspace{11mu},5,{{??}_{0}:=\left( {b_{0,1},\ldots\mspace{11mu},b_{0,5}} \right)},{B_{i,j,t}:={\mu_{i,j,t}g}},{B_{i,j,L,t}^{\prime}:={\mu_{i,j,L,t}^{\prime}g{for}\mspace{14mu} i}},{j = 1},\ldots\mspace{11mu},{6;{L = 1}},\ldots\mspace{11mu},{n_{t};{t = 1}},\ldots\mspace{11mu},d}} & \left\lbrack {{Formula}\mspace{14mu} 178} \right\rbrack \end{matrix}$

With the processing device, the basis generation part 113 generates a basis B*₀ and a basis B*_(1,t), as indicated in Formula 179. (θ_(0,i,j))_(i,j=1, . . . ,5):=ψ·(X ₀ ^(T))⁻¹, b _(0,i)*:=(θ_(0,i,1), . . . ,θ_(0,i,5)

=Σ_(j=1) ⁵θ_(0,i,j) a _(j) for i=1, . . . ,5,

₀*:=(b _(0,1) *, . . . ,b _(0,5)*),[Formula 179] for t=1, . . . ,d, (θ_(t,i,j))_(i,j=1, . . . ,N) _(1,t) :=ψ·(X _(1,t) ^(T))⁻¹, b _(1,i,t)*:=(θ_(1,i,1,t), . . . ,θ_(1,i,N) _(1,t) _(,t)

=Σ_(j=1) ^(N) ^(1,t) θ_(1,i,j,t) a _(j) for i=1, . . . ,N _(1,t),

_(1,t)*:=(b _(1,1,t) *, . . . ,b _(1,N) _(1,t) _(,t)*)

(S104: Basis B^ Generation Step)

With the processing device, the key generation part 114 generates a basis B^₀, a basis B^_(1,t), a basis B^*₀, and a basis B^*_(1,t), as indicated in Formula 180.

₀:=(b _(0,1) ,b _(0,3) ,b _(0,5)), for t=1, . . . ,d,

_(1,t):=(b _(1,1,t) , . . . b _(1,n) _(t) _(,t) ,b _(1,5n) _(t) _(+1,t) , . . . ,b _(1,6n) _(t) _(,t))={B _(i,j,t) ,B _(i,j,L,t)′}_(i=1,6;j=1, . . . ,L=1, . . . ,n) _(t) _(;t=1, . . . ,d),

₀*:=(b _(0,1) *,b _(0,3) *,b _(0,4)*), for t=1, . . . ,d,

_(1,t)*:=(b _(1,1,t) *, . . . ,b _(1,n) _(t) _(,t) *,b _(1,3n) _(t) _(+1,t) , . . . ,b _(1,5n) _(t) _(,t)*)  [Formula 180]

(S105: Master Key Generation Step)

With the processing device, the key generation part 114 generates a public parameter pk:=(1 ^(λ), param_(n), B^₀, {B^_(1,t)}_(t=1, . . . , d)) and a master secret key sk:=(B^*₀, {B^*_(1,t)}_(t=1, . . . , d). Then, the key generation part 114 stores the public parameter pk and the master secret key sk in the master key storage part 120. Note param_(n):=(param_(V0),{param_(V1,t)}_(t=1, . . . ,d) ,g _(T)).

In brief, in (S101) through (S105), the key generation device 100 generates the public parameter pk and the master secret key sk by executing the Setup algorithm indicated in Formula 182, the Setup algorithm using an algorithm G^(FE(1)) _(ob) indicated in Formula 181.

$\begin{matrix} {{{\mspace{85mu}{{{{{{??}_{ob}^{{FE}{(1)}}\left( {1^{\lambda},6,n_{t}} \right)}\text{:}}\mspace{20mu}{{param}_{??}:={\left( {q,{??},{??}_{T},g,e} \right)\overset{R}{\longleftarrow}{{??}_{bpg}\left( 1^{\lambda} \right)}}}},\mspace{20mu}{N_{0}:=5},{N_{1,t}:={6n_{t}}},{{{for}\mspace{14mu} t} = 1},\ldots\mspace{11mu},d,{{param}_{{??}_{0}}:={\left( {q,{??}_{t},{??}_{T},{??},e} \right):={{??}_{dpvs}\left( {1^{\lambda},N_{0},{param}_{??}} \right)}}},{{param}_{{??}_{1,t}}:={\left( {q,{??}_{t},{??}_{T},{??},e} \right):={{{{??}_{dpvs}\left( {1^{\lambda},N_{1,t},{param}_{??}} \right)}\mspace{14mu}{for}\mspace{14mu} t} = 1}}},\ldots\mspace{11mu},d,{\psi\overset{U}{\longleftarrow}{??}_{q}^{x}},{g_{T}:={e\left( {g,g} \right)}^{\psi}},{{param}_{n}:=\left( {{param}_{{??}_{0}},\left\{ {param}_{{??}_{1,t}} \right\}_{{t = 1},\ldots\mspace{11mu},d},g_{T}} \right)},\mspace{20mu}{X_{0}:={\left( \chi_{0,i,j} \right)_{i,{j = 1},\ldots,5}\overset{U}{\longleftarrow}{{GL}\left( {N_{0,}{??}_{q}} \right)}}},\mspace{20mu}{{{X_{1,t}\overset{U}{\longleftarrow}{\mathcal{L}\left( {6,n_{t},{??}_{q}} \right)}}\mspace{14mu}{for}\mspace{14mu} t} = 1},\ldots\mspace{11mu},d,\mspace{79mu}{hereafter},\mspace{79mu}\left\{ {\mu_{i,j,t},\mu_{i,j,L,t}^{\prime}} \right\}_{i,{j = 1},\ldots,{6;{L = 1}},\ldots,{n_{t};{t = 1}},{\ldots d}}}\mspace{11mu}\mspace{76mu}{{{denotes}\mspace{14mu}{non}\text{-}{zero}\mspace{14mu}{entries}\mspace{14mu}{of}\mspace{14mu} X_{1,t}},\mspace{79mu}{b_{0,i}:={\left( {\chi_{0,i,1,\ldots,}\chi_{0,i,5}} \right)_{??} = {\sum_{j = 1}^{5}{\chi_{0,i,j}a_{j}}}}}}}\mspace{11mu}\mspace{76mu}\quad}{\quad{{{{for}\mspace{14mu} i} = 1},\ldots\mspace{11mu},5,{{??}_{0}:=\left( {b_{0,1},\ldots\mspace{11mu},b_{0,5}} \right)},\mspace{79mu}{B_{i,j,t}:={\mu_{i,j,t}g}},{B_{i,j,L,t}^{\prime}:=\;{\mu_{i,j,L,t}^{\prime}g}}}\mspace{11mu}\quad}}{\quad\mspace{79mu}{{{for}\mspace{14mu} i},{j = 1},\ldots\mspace{11mu},{6;{L = 1}},\ldots\mspace{11mu},{n_{t};{t = 1}},\ldots\mspace{11mu},{{d\mspace{20mu}\left( \vartheta_{0,i,j} \right)}_{i,{j = 1},\ldots,5}:={\psi \cdot \left( X_{0}^{T} \right)^{- 1}}},{b_{0,i}^{*}:={\left( {\vartheta_{0,i,1},\ldots\mspace{11mu},\vartheta_{0,i,5}} \right)_{??} = {\sum_{j = 1}^{5}{\vartheta_{0,i,j}a_{j}\mspace{14mu}{\quad{{{{for}\mspace{20mu} i} = 1},\ldots\mspace{11mu},5,\mspace{20mu}{{??}_{0}^{*}:=\left( {b_{0,1}^{*},\ldots\mspace{11mu},b_{0,5}^{*}} \right)},\mspace{20mu}{{{for}\mspace{14mu} t} = 1},\ldots\mspace{11mu},{{d\mspace{20mu}\left( \vartheta_{t,i,j} \right)}_{i,{j = 1},\ldots,N_{1,t}}:={\psi \cdot \left( X_{1,t}^{T} \right)^{- 1}}},{b_{1,i,t}^{*}:={\left( {\vartheta_{1,i,1,t},\ldots\mspace{11mu},\vartheta_{1,i,N_{1,t},t}} \right)_{??} = {\sum_{j = 1}^{N_{1,t}}{\vartheta_{1,i,j,t}a_{j}}}}}}\mspace{14mu}\quad}{\quad{{{{for}\mspace{14mu} i} = 1},\ldots\mspace{11mu},N_{1,t},\mspace{20mu}{{??}_{1,i,t}^{*}:=\left( {b_{1,1,t}^{*},\ldots\mspace{11mu},b_{1,N_{1,t},t}^{*}} \right)},\mspace{79mu}{{return}\mspace{14mu}{\left( {{param}_{n},{??}_{0},{??}_{0}^{*},\mspace{76mu}\left\{ {B_{i,j,t},B_{i,j,L,t}^{\prime}} \right\}_{i,{j = 1},...,{6;\;{L = 1}},\ldots,{n_{t};{t = 1}},\ldots,d},{??}_{1,t}^{*}} \right).}}}}}}}}}}} & \left\lbrack {{Formula}\mspace{14mu} 181} \right\rbrack \\ {\mspace{79mu}{{{{Setup}\left( {1^{\lambda},n_{t}} \right)}\text{:}}{{\left( {{param}_{n},{??}_{0},{??}_{0}^{*},\left\{ {B_{i,j,t},B_{i,j,L,t}^{\prime}} \right\}_{i,{j = 1},\ldots,{6;{L = 1}},\ldots,{n_{t};{t = 1}},\ldots,d},{??}_{1,t}^{*}} \right)\overset{R}{\longleftarrow}{{??}_{ob}^{{FE}{(1)}}\left( {1^{\lambda},6,n_{t}} \right)}},\mspace{20mu}{{\hat{??}}_{0}:=\left( {b_{0,1},b_{0,3},b_{0,5}} \right)},\mspace{20mu}{{{for}\mspace{14mu} t} = 1},\ldots\mspace{11mu},d,\mspace{20mu}\begin{matrix} {{\hat{??}}_{1,t}:=\left( {b_{1,1,t},\ldots\mspace{11mu},b_{1,n_{t},t},b_{1,{{5n_{t}} + 1},t},\ldots\mspace{11mu},b_{1,{6n_{t}},t}} \right)} \\ {{= \left\{ {B_{i,j,t},B_{i,j,L,t}^{\prime}} \right\}_{{i = 1},{6;{j = 1}},\ldots,{6;{L = 1}},\ldots,{n_{t};{t = 1}},\ldots,d}},} \end{matrix}}\mspace{20mu}{{{\hat{??}}_{0}^{*}:=\left( {b_{0,1}^{*},b_{0,3}^{*},b_{0,4}^{*}} \right)},\mspace{20mu}{{{for}\mspace{14mu} t} = 1},\ldots\mspace{11mu},d,\mspace{20mu}{{\hat{??}}_{1,t}^{*}:=\left( {b_{1,1,t}^{*},\ldots\mspace{11mu},b_{1,n_{t},t}^{*},b_{1,{{3n_{t}} + 1},t}^{*},\ldots\mspace{11mu},b_{1,{5n_{t}},t}^{*}} \right)},\mspace{20mu}{{pk}:=\left( {1^{\lambda},{param}_{n},{{\hat{??}}_{0}\left\{ {\hat{??}}_{1,t} \right\}_{{t = 1},\ldots,d}}} \right)},\mspace{20mu}{{sk}:=\left( {{\hat{??}}_{0}\left\{ {\hat{??}}_{1,t} \right\}_{{t = 1},\ldots,d}} \right)},\mspace{20mu}{{return}\mspace{14mu}{pk}},{{sk}.}}}} & \left\lbrack {{Formula}\mspace{14mu} 182} \right\rbrack \end{matrix}$

With reference to FIG. 10, the process of the KeyGen algorithm will be described.

The process of (S201) through (S202) is the same as that in Embodiment 1.

(S203: s Vector Generation Step)

With the processing device, the s vector generation part 142 generates a vector {right arrow over (s)}^(T):=(s₁, . . . , s_(L))^(T), as indicated in Formula 183. {right arrow over (s)} ^(T):=(s ₁ , . . . ,s _(L))^(T) :=M·{right arrow over (f)} ^(T)  [Formula 183]

With the processing device, the s vector generation part 142 also generates a value s₀, as indicated in Formula 184. s ₀:={right arrow over (1)}·{right arrow over (f)} ^(T)  [Formula 184]

(S204: Random Number Generation Step)

With the processing device, the random number generation part 143 generates random numbers, as indicated in Formula 185.

$\begin{matrix} {{{\eta_{0}\overset{U}{\longleftarrow}{??}_{q}},{{{{\overset{->}{\eta}}_{i}\overset{U}{\longleftarrow}{??}_{q}^{2n_{t}}}\mspace{31mu}{for}\mspace{14mu} i} = 1},\ldots\mspace{11mu},L,{{{\theta_{i}\overset{U}{\longleftarrow}{??}_{q}}\mspace{31mu}{for}\mspace{14mu} i} = 1},\ldots\mspace{11mu},L}\mspace{25mu}} & \left\lbrack {{Formula}\mspace{14mu} 185} \right\rbrack \end{matrix}$

(S205: Key Element Generation Step)

With the processing device, the key element generation part 144 generates an element k*₀ of a decryption key sk_(S), similarly as in Embodiment 1.

With the processing device, the key element generation part 144 also generates an element k*_(i) of the decryption key sk_(S) for each integer i=1, . . . , L and an index t included in a set I_(vi→), as indicated in Formula 186.

$\begin{matrix} {{{{for}\mspace{14mu} i} = 1},\ldots\mspace{11mu},L,{{{if}\mspace{14mu}{\rho(i)}} = \left( {t,v_{i}} \right)},{{\overset{->}{v}}_{i}:=\left( {v_{i}^{n_{t} - 1},\ldots\mspace{11mu},v_{i},1} \right)},{k_{i}^{*}:=\left( {\overset{\overset{n_{t}}{︷}}{{{s_{i}{\overset{->}{e}}_{1,t}} + {\theta_{i}{\overset{->}{v}}_{i}}},}\overset{\overset{2n_{t}}{︷}}{0^{2n_{t}},}\overset{\overset{2n_{t}}{︷}}{{\overset{->}{\eta}}_{i},}\overset{\overset{n_{t}}{︷}}{0^{n_{t}}}} \right)_{{??}_{1,t}^{*}}},{{{if}\mspace{14mu}{\rho(i)}} = {⫬ \left( {t,v_{i}} \right)}},{{\overset{->}{v}}_{i}:=\left( {v_{i}^{n_{t} - 1},\ldots\mspace{11mu},v_{i},1} \right)},{k_{i}^{*}:=\left( {\overset{\overset{n_{t}}{︷}}{{s_{i}{\overset{->}{v}}_{i}},}\overset{\overset{2n_{t}}{︷}}{0^{2n_{t}},}\overset{\overset{2n_{t}}{︷}}{{\overset{->}{\eta}}_{i},}\overset{\overset{n_{t}}{︷}}{0^{n_{t}}}} \right)_{{??}_{1,t}^{*}}}} & \left\lbrack {{Formula}\mspace{14mu} 186} \right\rbrack \end{matrix}$

The process of(S206) is the same as that in Embodiment 1.

In brief, in (S201) through (S205), the key generation device 100 generates the decryption key sk_(S) by executing the KeyGen algorithm indicated in Formula 187. In (S206), the key generation device 100 transmits the generated decryption key sk_(S) to the decryption device 300.

$\begin{matrix} {\mspace{79mu}{{{{{{KeyGen}\left( {{pk},{sk},{{??} = \left( {M,\rho} \right)}} \right)}\text{:}}\mspace{20mu}{{\overset{->}{f}\overset{U}{\longleftarrow}{??}_{q}^{r}},\mspace{20mu}{{\overset{->}{s}}^{T}:={\left( {s_{1},\ldots\mspace{11mu},s_{L}} \right)^{T}:={M \cdot {\overset{->}{f}}^{T}}}},{s_{0}:={\overset{->}{1} \cdot {\overset{->}{f}}^{T}}},\mspace{20mu}{\eta_{0}\overset{U}{\longleftarrow}{??}_{q}},\mspace{20mu}{k_{0}^{*}:=\left( {{- s_{0}},0,1,\eta_{0},0} \right)_{{??}_{0}^{*}}},\mspace{20mu}{{{for}\mspace{14mu} i} = 1},\ldots\mspace{11mu},L,{t = 1},\ldots\mspace{11mu},d,\mspace{79mu}{{{if}\mspace{14mu}{\rho(i)}} = \left( {t,v_{i}} \right)},\mspace{59mu}{{\overset{\mspace{25mu}->}{\mspace{20mu} v}}_{i}:=\left( {v_{i}^{n_{t} - 1},\ldots\mspace{11mu},v_{i},1} \right)},{\theta_{i}\overset{U}{\longleftarrow}{??}_{q}},{{\overset{->}{\eta}}_{i}\overset{U}{\longleftarrow}{??}_{q}^{2n_{t}}},\mspace{20mu}{k_{i}^{*}:=\left( {\overset{\overset{n_{t}}{︷}}{{{s_{i}{\overset{->}{e}}_{1,t}} + {\theta_{i}{\overset{->}{v}}_{i}}},}\overset{\overset{2n_{t}}{︷}}{0^{2n_{t}},}\overset{\overset{2n_{t}}{︷}}{{\overset{->}{\eta}}_{i},}\overset{\overset{n_{t}}{︷}}{0^{n_{t}}}} \right)_{{??}_{1,t}^{*}}},{{{if}\mspace{14mu}\rho(i)} = {⫬ \left( {t,v_{i}} \right)}},{{\overset{->}{v}}_{i}:=\left( {v_{i}^{n_{t} - 1},\ldots\mspace{11mu},v_{i},1} \right)},{{\overset{->}{\eta}}_{i}\overset{U}{\longleftarrow}{??}_{q}^{2n_{t}}},\mspace{20mu}{k_{i}^{*}:=\left( {\overset{\overset{n_{t}}{︷}}{{s_{i}{\overset{->}{v}}_{i}},}\overset{\overset{2n_{t}}{︷}}{0^{2n_{t}},}\overset{\overset{2n_{t}}{︷}}{{\overset{->}{\eta}}_{i},}\overset{\overset{n_{t}}{︷}}{0^{n_{t}}}} \right)_{{??}_{1,t}^{*}}}}}\mspace{20mu}{{sk}_{??}:=\left( {{??},k_{0}^{*},\left\{ k_{i}^{*} \right\}_{{i = 1},\ldots\mspace{11mu},L}} \right)}}\mspace{20mu}{{return}\mspace{14mu}{{sk}_{??}.}}}\mspace{14mu}} & \left\lbrack {{Formula}\mspace{14mu} 187} \right\rbrack \end{matrix}$

With reference to FIG. 11, the process of the Enc algorithm will be described.

The process of (S301) is the same as that in Embodiment 1.

(S302: Information Input Step)

With the input device, the information input part 220 takes as input a message m to be transmitted to the decryption device 300. With the input device, the information input part 220 also takes as input an attribute set Γ_(t):={x_(1,t), . . . , x_(nt,t), n_(t)′≦n_(t)−1, t=1, . . . , d}.

(S303: Random Number Generation Step)

With the processing device, the random number generation part 231 generates random numbers, as indicated in Formula 188.

$\begin{matrix} {\omega,\varphi_{0},{\zeta\overset{U}{\longleftarrow}{??}_{q}},{{{\varphi_{1,t}\overset{U}{\longleftarrow}{??}_{q}}\mspace{31mu} t} = 1},\ldots\mspace{11mu},d} & \left\lbrack {{Formula}\mspace{14mu} 188} \right\rbrack \end{matrix}$

(S304: Cipher Element Generation Step)

With the processing device, the cipher element generation part 232 generates an element c₀ and an element c₃ of a ciphertext ct_(Γ), similarly as in Embodiment 1.

With the processing device, the cipher element generation part 232 also generates elements C_(1,j,t) and C_(2,j,t) of the ciphertext ct_(Γ), as indicated in Formula 189.

for j=1, . . . , 6; t=1, . . . , d C _(1,j,t) :=ωB _(1,j,t)+η_(1,t) B _(6,j,t), C _(2,j,t):=Σ_(L=1) ^(n) ^(t) y _(L,t)(ωB _(1,j,L,t)′+φ₁ B _(6,j,L,t)′)  [Formula 189] where {right arrow over (y)} _(t):=(y _(1,t) , . . . ,y _(n) _(t) _(,t)) such that Σ_(j=0) ^(n) ^(t) ⁻¹ y _(n) _(t) _(-j,t) z _(j) =z ^(n) ^(t) ^(−1-jn) ^(t) ′·Π_(j=1) ^(n) ^(t) ′(z−x _(j,t))

The process of (S305) is the same as that in Embodiment 1.

In brief, in (S301) through (S304), the encryption device 200 generates the ciphertext ct_(F) by executing the Enc algorithm indicated in Formula 190. In (S305), the encryption device 200 transmits the generated ciphertext ct_(Γ) to the decryption device 300.

$\begin{matrix} {{{{Enc}\left( {{pk}, m,{\Gamma_{t} =}}\quad \right.}\left. \quad\left\{ {x_{1,t},\ldots\mspace{11mu},{{x_{n_{t}^{\prime},\; t,}n_{t}^{\prime}} \leq {n_{t} - 1}},{t = 1},\ldots\mspace{11mu},d} \right\} \right)\text{:}}\mspace{20mu}{\omega,\varphi_{0},{\zeta\overset{U}{\longleftarrow}{??}_{q}},{{{\varphi_{1,t}\overset{U}{\longleftarrow}{??}_{q}}\mspace{20mu} t} = 1},\ldots,,d,{{\overset{->}{y}}_{t}:={{\left( {y_{1,t},\ldots\mspace{11mu},y_{n_{t},t}} \right)\mspace{14mu}{such}\mspace{14mu}{that}\mspace{14mu}{\sum_{j = 0}^{n_{t} - 1}{y_{{n_{t} - j},t}z^{j}}}} = {z^{n_{t} - 1 - n_{t}^{\prime}} \cdot {\prod_{j = 1}^{n_{t}^{\prime}}\left( {z - x_{j,t}} \right)}}}},\mspace{20mu}{c_{0}:=\left( {\omega,0,\zeta,0,\varphi_{0}} \right)_{{??}_{0}}},\mspace{20mu}{{{for}\mspace{14mu} j} = 1},\ldots\mspace{11mu},{6;{t = 1}},\ldots\mspace{11mu},d}\mspace{20mu}{{C_{1,j,t}:={{\omega\; B_{1,j,t}} + {\eta_{1,t}B_{6,j,t}}}},\mspace{20mu}{C_{2,j,t}:={\sum_{L = 1}^{n_{t}}{y_{L,t}\left( {{\omega\; B_{1,j,L,t}^{\prime}} + {\varphi_{1}B_{6,j,L,t}^{\prime}}} \right)}}},\mspace{20mu}{c_{3}:={g_{T}^{\zeta}m}},\mspace{20mu}{{ct}_{\Gamma}:=\left( {\Gamma_{t},c_{0},\left\{ {C_{1,j,t},C_{2,j,t}} \right\}_{{j = 1},\;\ldots\;,{6;{t = 1}},\;\ldots\;,d},c_{3}} \right)},\mspace{20mu}{{return}\mspace{14mu}{{ct}_{\Gamma}.}}}} & \left\lbrack {{Formula}\mspace{14mu} 190} \right\rbrack \end{matrix}$

With reference to FIG. 12, the process of the Dec algorithm will be described.

The process of (S401) through (S404) is the same as that in Embodiment 1.

(S405: Decryption Element Generation Step)

With the processing device, the decryption part 350 generates decryption elements D*_(1,t), . . . , D*_(6n,t), and E*_(j,t), as indicated in Formula 191.

$\begin{matrix} {{{{\left( {D_{1,t}^{*},\ldots\mspace{11mu},D_{{6n_{t}},t}^{*}} \right):={{\sum\limits_{{{i \in I_{t}} ⩓ {\rho{(i)}}} = {({t,v_{i}})}}{\alpha_{i}k_{i}^{*}}} + {\sum\limits_{{{i \in I_{t}} ⩓ {\rho{(i)}}} = {⫬ {({t,v_{i}})}}}{\frac{\alpha_{i}}{{\overset{->}{v}}_{i} \cdot {\overset{->}{y}}_{t}}k_{i}^{*}}}}},\mspace{79mu}{E_{j,t}^{*}:={\sum_{L = 1}^{n_{t} - 1}{y_{{L - 1},t}D_{{{{({j - 1})}n_{t}} + L},t}^{*}}}}}\;\mspace{79mu}{{{{for}\mspace{14mu} j} = 1},\ldots\mspace{11mu},{6;{t = 1}},\ldots\mspace{11mu},d}}\mspace{40mu}} & \left\lbrack {{Formula}\mspace{14mu} 191} \right\rbrack \end{matrix}$

(S406: Pairing Operation Step)

With the processing device, the decryption part 350 computes Formula 192, and thereby generates a session key K=g_(T) ^(ζ). K:=e(c ₀ ,k ₀*)·Π_(t=1) ^(d)Π_(j=1) ⁶(e(C _(1,j,t) ,E _(j,t)*)·e(C _(2,j,t) ,D _(jn) _(t) _(,t)*))  [Formula 192]

The process of (S407) is the same as that in Embodiment 1.

In brief, in (S401) through (S407), the decryption device 300 generates the message m′ (=m) by executing the Dec algorithm indicated in Formula 193.

$\begin{matrix} {{{\left. {{{\mspace{79mu}{{{{{{Dec}\left( {{pk},{{sk}_{??}:=\left( {{??},k_{0}^{*},k_{1}^{*},\ldots\mspace{11mu},k_{L}^{*}} \right)},{{ct}_{\Gamma}:=\left( {\Gamma_{t},c_{0},\left\{ {C_{1,j,t},C_{2,j,t}} \right\}_{{j = 1},\ldots\mspace{11mu},{6;{t = 1}},\ldots\mspace{11mu},d},c_{3}} \right)}} \right)}\text{:}}{{{If}\mspace{14mu}{??}\mspace{14mu}{accepts}\mspace{14mu}\Gamma},{{then}\mspace{14mu}{compute}\mspace{14mu} I\mspace{14mu}{and}\mspace{14mu}\left\{ \alpha_{i} \right\}_{i \in I}\mspace{14mu}{such}\mspace{14mu}{that}},\mspace{20mu}{\overset{->}{1} = {\sum\limits_{i \in I}{\alpha_{i}M_{i}}}}}\mspace{20mu}{where}\mspace{14mu} M_{i}\mspace{14mu}{is}\mspace{14mu}{the}\mspace{14mu} i\text{-}{th}\mspace{14mu}{row}\mspace{14mu}{of}\mspace{14mu} M},{and}}\;{{I \subseteq \left\{ {i \in \left\{ {1,\ldots\mspace{11mu},L} \right\}} \middle| {{\left\lbrack {{\rho(i)} =}\quad \right.\left( {t,v_{i}} \right)} ⩓ {v_{i} \in \Gamma_{t}}} \right\rbrack} ⩔ {\quad\quad}}}\quad}\quad}\left\lbrack {{\rho(i)} = {{⫬ \left( {t,v_{i}} \right)} ⩓ {v_{i} \notin \Gamma_{t}}}} \right\rbrack} \right\},\mspace{85mu}{I_{t} \subseteq \left\{ {\left. {i \in I} \middle| {\rho(i)} \right. = {{\left( {t,v_{i}} \right) ⩔ {\rho(i)}} = {⫬ \left( {t,v_{i}} \right)}}} \right\}},{{\overset{->}{y}}_{t}:={{\left( {y_{1,t},\ldots\mspace{11mu},y_{n_{t},t}} \right)\mspace{14mu}{such}\mspace{14mu}{that}\mspace{14mu}{\sum_{j = 0}^{n_{t} - 1}{y_{{n_{t} - j},t}z^{j}}}} = {z^{n_{t} - 1 - n_{t}^{\prime}} \cdot {\prod_{j = 1}^{n_{t}^{\prime}}\left( {z - x_{j,t}} \right)}}}},{\left( {D_{1,t}^{*},\ldots\mspace{11mu},D_{{6n_{t}},t}^{*}} \right):={{\sum\limits_{{{i \in I_{t}} ⩓ {\rho{(i)}}} = {({t,v_{i}})}}{\alpha_{i}k_{i}^{*}}} + {\sum\limits_{{{i \in I_{t}} ⩓ {\rho{(i)}}} = {⫬ {({t,v_{i}})}}}{\frac{\alpha_{i}}{{\overset{->}{v}}_{i} \cdot {\overset{->}{y}}_{t}}k_{i}^{*}}}}},\mspace{20mu}{E_{j,t}^{*}:={\sum_{L = 1}^{n_{t} - 1}{y_{{L - 1},t}D_{{{{({j - 1})}n_{t}} + L},t}^{*}}}}}\mspace{20mu}\mspace{20mu}{{{{for}\mspace{14mu} j} = 1},\ldots\mspace{11mu},{6;{t = 1}},\ldots\mspace{11mu},d,{K:={{e\left( {c_{0},k_{0}^{*}} \right)} \cdot {\prod_{t = 1}^{d}{\prod_{j = 1}^{6}\left( {{e\left( {C_{1,j,t},E_{j,t}^{*}} \right)} \cdot \;{e\left( {C_{2,j,t},D_{{jn}_{t},t}^{*}} \right)}} \right)}}}},\mspace{20mu}{{{return}\mspace{14mu} m^{\prime}}:=\;{c_{3}/{K.}}}}}\mspace{14mu}} & \left\lbrack {{Formula}\mspace{14mu} 193} \right\rbrack \end{matrix}$

The KP-FE scheme to which the KP-ABE scheme described in Embodiment 1 is applied has been described herein. A CP-FE scheme to which the CP-ABE scheme described in Embodiment 2 is applied can also be constructed in a similar manner. Each algorithm of the CP-FE scheme to which the CP-ABE scheme described in Embodiment 2 is applied is as indicated in Formula 194 through Formula 198.

$\begin{matrix} {{{{{{??}_{ob}^{{FE}{(2)}}\left( {1^{\lambda},6,n_{t}} \right)}\text{:}}{{\left( {{param}_{n},{??}_{0},{??}_{0}^{*},\left\{ {D_{i,j,t},D_{i,j,L,t}^{\prime}} \right\}_{i,{j = 1},\ldots,{6;{L = 1}},\ldots,{n_{t};{t = 1}},\ldots,d},{??}_{1,t}^{*}} \right)\overset{R}{\longleftarrow}{{??}_{ob}^{(1)}\left( {1^{\lambda},6,n_{t}} \right)}},\mspace{79mu}{{??}_{0}:={??}_{0}^{*}},{{??}_{0}^{*}:={??}_{0}},{{??}_{1,t}:={??}_{1,t}^{*}},\mspace{79mu}{B_{i,j,t}^{*}:={{D_{i,j,t,}\mspace{11mu} B_{i,j,L,t}^{\prime*}} = D_{i,j,L,t}^{\prime}}}}}\mspace{79mu}\quad}{\quad{{{for}\mspace{14mu} i},{j = 1},{{\ldots\mspace{14mu} 6};{L = 1}},\ldots\mspace{11mu},n_{t},\mspace{79mu}{{return}\mspace{20mu}{\left( {{param}_{n},{??}_{0},{??}_{0}^{*},\mspace{79mu}\left\{ {{??}_{1,t},\left\{ {B_{i,j,t}^{*},B_{i,j,L,t}^{\prime*}} \right\}_{i,{j = 1},\ldots,{6;{L = 1}},\ldots,n_{t}}} \right\}_{{t = 1},\ldots,d}} \right).}}}}} & \left\lbrack {{Formula}\mspace{14mu} 194} \right\rbrack \\ {\mspace{79mu}{{{{{Setup}\left( {1^{\lambda},n} \right)}\text{:}}{\left( {{param}_{n},{??}_{0},{??}_{0}^{*},\left\{ {B_{1,t},\left\{ {B_{i,j,t}^{\prime},B_{i,j,L,t}^{\prime*}} \right\}_{i,{j = 1},\ldots,{6;{L = 1}},\ldots,n_{t}}} \right\}_{{t = 1},\ldots,d}} \right)\overset{R}{\longleftarrow}{{??}_{ob}^{(2)}\left( {1^{\lambda},6,n_{t}} \right)}}},\mspace{20mu}{{\hat{??}}_{0}:=\left( {b_{0,1},b_{0,3},b_{0,4}} \right)},{{\hat{??}}_{1,t}:=\left( {b_{1,1,t},\ldots\mspace{11mu},b_{1,n_{t},t},b_{1,{{3n_{t}} + 1},t},\ldots\mspace{11mu},b_{1,{5n_{t}},t}} \right)},\mspace{20mu}{{\hat{??}}_{0}^{*}:=\left( {b_{0,1}^{*},b_{0,3}^{*},b_{0,5}^{*}} \right)},{{\begin{matrix} {{\hat{??}}_{1,t}^{*}:=\left( {b_{1,1,t}^{*},\ldots\mspace{11mu},b_{1,n_{t},t}^{*},b_{1,{{5n_{t}} + 1},t}^{*},\ldots\mspace{11mu},b_{1,{6n_{t}},t}^{*}} \right)} \\ {{= \left\{ {B_{i,j,t}^{\prime},B_{i,j,L,t}^{\prime*}} \right\}_{{i = 1},{6;{j = 1}},\ldots,{6;{L = 1}},\ldots,{n_{t};{t = 1}},\ldots,d}},} \end{matrix}\mspace{20mu}{pk}}:=\left( {1^{\lambda},{param}_{n},{{\hat{??}}_{0}\left\{ {\hat{??}}_{1,t} \right\}_{{t = 1},\ldots,d}}} \right)},\mspace{20mu}{{sk}:=\left( {{\hat{??}}_{0}\left\{ {\hat{??}}_{1,t} \right\}_{{t = 1},\ldots,d}} \right)},\mspace{20mu}{{return}\mspace{14mu}{pk}},{{sk}.}}} & \left\lbrack {{Formula}\mspace{14mu} 195} \right\rbrack \\ {{\left. \mspace{79mu}{{KeyGen}\left( {{pk},{sk},\;{\Gamma_{t} = x_{1,t}},\ldots\mspace{11mu},x_{n_{t}^{\prime},t},\text{}\mspace{79mu}{n_{t}^{\prime} \leq {n_{t} - 1}},{t = 1},\ldots\mspace{11mu},d} \right\}} \right)\text{:}}\mspace{20mu}{\omega,{\varphi_{0}\overset{U}{\longleftarrow}{??}_{q}},{{{\varphi_{1,t}\overset{U}{\longleftarrow}{??}_{q}}\mspace{25mu} t} = 1},\ldots\mspace{11mu},d,{{\overset{->}{y}}_{t}:={{\left( {y_{1,t},\ldots\mspace{11mu},y_{n_{t},t}} \right)\mspace{14mu}{such}\mspace{14mu}{that}\mspace{14mu}{\sum_{j = 0}^{n_{t} - 1}{y_{{n_{t} - j},t}z^{j}}}} = {z^{n_{t} - 1 - n_{t}^{\prime}} \cdot {\prod_{j = 1}^{n_{t}^{\prime}}\left( {z - x_{j,t}} \right)}}}},\mspace{20mu}{k_{0}^{*}:=\left( {\omega,0,1,0,\varphi_{0}} \right)_{{??}_{0}^{*}}},\mspace{20mu}{{{for}\mspace{14mu} j} = 1},\ldots\mspace{11mu},6,\mspace{14mu}{t = 1},\ldots\mspace{11mu},d,\mspace{20mu}{K_{1,j,t}:={{\omega\; B_{1,j,t}} + {\varphi_{1,t}B_{6,j,t}}}},\mspace{20mu}{K_{2,j,t}:={\sum_{L = 1}^{n_{t}}{y_{L,t}\left( {{\omega\; B_{1,j,L,t}^{\prime}} + {\varphi_{1,t}B_{6,j,L,t}^{\prime}}} \right)}}},\mspace{79mu}{{sk}_{\Gamma}:=\left( {\Gamma_{t},k_{0}^{*},\left\{ {K_{1,j,t},K_{2,j,t}} \right\}_{{j = 1},\ldots,{6;{t = 1}},\ldots,d}} \right)},\mspace{79mu}{{return}\mspace{14mu}{{sk}_{\Gamma}.}}}} & \left\lbrack {{Formula}\mspace{14mu} 196} \right\rbrack \\ {\mspace{85mu}{{{{Enc}\left( {{pk},m,{{??} = \left( {M,\rho} \right)}} \right)}\text{:}}\mspace{20mu}{{\overset{->}{f}\overset{U}{\longleftarrow}{??}_{q}^{r}},\mspace{20mu}{{\overset{->}{s}}^{T}:={\left( {s_{1},\ldots\mspace{11mu},s_{L}} \right)^{T}:={M \cdot {\overset{->}{f}}^{T}}}},{s_{0}:={\overset{->}{1} \cdot {\overset{->}{f}}^{T}}},\mspace{20mu}\eta_{0},{\zeta\overset{U}{\longleftarrow}{??}_{q}},\mspace{20mu}{c_{0}:=\left( {{- s_{0}},0,\zeta,\eta_{0},0} \right)_{{??}_{0}}},\mspace{20mu}{{{for}\mspace{14mu} i} =}}{1,\ldots\mspace{11mu},L,\mspace{79mu}{{{if}\mspace{14mu}{\rho(i)}} = \left( {t,v_{i}} \right)},{{\overset{->}{v}}_{i}:=\left( {v_{i}^{n_{t} - 1},\ldots\mspace{11mu},v_{i},1} \right)},\mspace{79mu}{\theta_{i}\overset{U}{\longleftarrow}{??}_{q}},{{\overset{->}{\eta}}_{i}\overset{U}{\longleftarrow}{??}_{q}^{2n_{t}}},\mspace{20mu}{c_{i}:=\left( \;{\overset{\overset{n_{t}}{︷}}{{{s_{i}{\overset{->}{e}}_{1,t}} + {\theta_{i}{\overset{->}{v}}_{i}}},}\mspace{14mu}\overset{\overset{2n_{t}}{︷}}{0^{2n_{t}},}\mspace{14mu}\overset{\overset{2n_{t}}{︷}}{{\overset{->}{\eta}}_{i},}\mspace{14mu}\overset{\overset{n_{t}}{︷}}{0^{n_{t}}}}\; \right)_{{??}_{1,t}}},{{{if}\mspace{14mu}{\rho(i)}} = {⫬ \left( {t,v_{i}} \right)}},{{\overset{->}{v}}_{i}:=\left( {v_{i}^{n_{t} - 1},\ldots\mspace{11mu},v_{i},1} \right)},{{\overset{->}{\eta}}_{i}\overset{U}{\longleftarrow}{??}_{q}^{2n_{t}}},\mspace{20mu}{c_{i}:=\left( \;{\overset{\overset{n_{t}}{︷}}{{s_{i}{\overset{->}{v}}_{i}},}\mspace{14mu}\overset{\overset{2n_{t}}{︷}}{0^{2n_{t}},}\mspace{14mu}\overset{\overset{2n_{t}}{︷}}{{\overset{->}{\eta}}_{i},}\mspace{14mu}\overset{\overset{n_{t}}{︷}}{0^{n_{t}}}}\; \right)_{{??}_{1,t}}},\mspace{20mu}{c_{3}:={g_{T}^{\zeta}m}},\mspace{20mu}{{ct}_{??}:=\left( {{??},c_{0},\left\{ c_{i} \right\}_{{i = 1},\ldots,L},c_{3}} \right)},\mspace{20mu}{{return}\mspace{14mu}{{ct}_{??}.}}}}} & \left\lbrack {{Formula}\mspace{14mu} 197} \right\rbrack \\ {{\left. {{{{{{{Dec}\left( {{pk},{{sk}_{\Gamma}:=\mspace{79mu}\left( {\Gamma_{t},k_{0}^{*},\left\{ {K_{1,j,t},K_{2,j,t}} \right\}_{{j = 1},\ldots,{6;{t = 1}},\ldots,d}} \right)},\mspace{20mu}{{ct}_{??}:=\left( {{??},c_{0},\left\{ c_{i} \right\}_{{i = 1},\ldots\mspace{11mu},L},c_{3}} \right)}} \right)}\text{:}}{{{If}\mspace{14mu}{??}\mspace{14mu}{accepts}\mspace{14mu}\Gamma},{{then}\mspace{14mu}{compute}\mspace{14mu} I\mspace{14mu}{and}\mspace{14mu}\left\{ \alpha_{i} \right\}_{i \in I}\mspace{14mu}{such}\mspace{14mu}{that}},\mspace{20mu}{\overset{->}{1} = {\sum\limits_{i \in I}{\alpha_{i}M_{i}\mspace{20mu}{where}\mspace{14mu} M_{i}\mspace{14mu}{is}\mspace{14mu}{the}\mspace{14mu} i\text{-}{th}\mspace{14mu}{row}\mspace{14mu}{of}\mspace{14mu} M}}},{and}}{{I \subseteq \left\{ {i \in \left\{ {1,\ldots\mspace{11mu},L} \right\}} \middle| {{\left\lbrack {{\rho(i)} =}\quad \right.\left( {t,v_{i}} \right)} ⩓ {v_{i} \in \Gamma_{t}}} \right\rbrack} ⩔}}\quad}\quad}\left\lbrack {{\rho(i)} = {{⫬ \left( {t,v_{i}} \right)} ⩓ {v_{i} \notin \Gamma_{t}}}} \right\rbrack} \right\},\mspace{85mu}{I_{t} \subseteq \left\{ {\left. {i \in I} \middle| {\rho(i)} \right. = {{\left( {t,v_{i}} \right) ⩔ {\rho(i)}} = {⫬ \left( {t,v_{i}} \right)}}} \right\}},{{\overset{->}{y}}_{t}:={{\left( {y_{1,t},\ldots\mspace{11mu},y_{n_{t},t}} \right)\mspace{14mu}{such}\mspace{14mu}{that}\mspace{14mu}{\sum_{j = 0}^{n_{t} - 1}{y_{{n_{t} - j},t}z^{j}}}} = {z^{n_{t} - 1 - n_{t}^{\prime}} \cdot {\prod_{j = 1}^{n_{t}^{\prime}}\left( {z - x_{j,t}} \right)}}}},{\left( {D_{1,t}^{*},\ldots\mspace{11mu},D_{{6n_{t}},t}^{*}} \right):={{\sum\limits_{{{i \in I_{t}} ⩓ {\rho{(i)}}} = {({t,v_{i}})}}{\alpha_{i}c_{i}}} + {\sum\limits_{{{i \in I_{t}} ⩓ {\rho{(i)}}} = {⫬ {({t,v_{i}})}}}{\frac{\alpha_{i}}{{\overset{->}{v}}_{i} \cdot {\overset{->}{y}}_{t}}c_{i}}}}},\mspace{79mu}{E_{j,t}^{*}:={\sum_{L = 1}^{n_{t} - 1}{y_{{L - 1},t}D_{{{{({j - 1})}n_{t}} + L},t}^{*}}}}}{\quad\mspace{79mu}{{{{for}\mspace{14mu} j} = 1},\ldots\mspace{11mu},{6;{t = 1}},\ldots\mspace{11mu},d,{K:={{e\left( {c_{0},k_{0}^{*}} \right)} \cdot {\prod_{t = 1}^{d}{\prod_{j = 1}^{6}\left( {{e\left( {E_{j,t}^{*},K_{1,j,t}} \right)} \cdot \;{e\left( {D_{{jn}_{t},t}^{*},K_{2,j,t}} \right)}} \right)}}}},\mspace{20mu}{{{return}\mspace{14mu} m^{\prime}}:=\;{c_{3}/{K.}}}}\mspace{14mu}}} & \left\lbrack {{Formula}\mspace{14mu} 198} \right\rbrack \end{matrix}$

As described above, it is possible to construct the FE scheme by applying the ABE scheme according to Embodiment 1 or 2.

Embodiment 4

In Embodiment 4, an attribute-based signature (ABS) scheme to which the CP-ABE scheme described in Embodiment 2 is applied will be described.

In Embodiment 4, description will be omitted for what is the same as in Embodiment 2, and differences from Embodiment 2 will be described.

First, a basic structure of the signature scheme according to Embodiment 4 will be described.

Second, a configuration of a cryptographic system 10 that implements the signature scheme according to Embodiment 4 will be described.

Third, the signature scheme according to Embodiment 4 will be described in detail.

<1. Basic Structure of Cryptographic Scheme>

The structure of the ABS scheme will be briefly described. The ABS scheme includes four algorithms: Setup, KeyGen, Sig, and Ver.

(Setup)

A Setup algorithm is a probabilistic algorithm that takes as input a security parameter λ and an upper limit n for the number of attributes for a ciphertext, and outputs a public parameter pk and a master key sk.

(KeyGen)

A KeyGen algorithm is a probabilistic algorithm that takes as input the public parameter pk, the master key sk, and an attribute set Γ:={x_(j)}_(1≦j≦n′), and outputs a signature key sk_(Γ).

(Sig)

A Sig algorithm is a probabilistic algorithm that takes as input the public parameter pk, a message m, an access structure S:=(M, ρ), and the signature key sk_(Γ), and outputs a signature σ.

(Ver)

A Ver algorithm is an algorithm that takes as input the public parameter pk, the message m, the access structure S:=(M, ρ), and the signature σ, and outputs a value “1” indicating that the verification of the signature has succeeded, or a value “0” indicating that the verification of the signature has failed.

<2. Configuration of Cryptographic System 10 that Implements ABS Scheme>

FIG. 18 is a configuration diagram of the cryptographic system 10 that implements the ABS scheme according to Embodiment 4.

The cryptographic system 10 includes a key generation device 100, a signature device 400 (an example of the transmission device), and a verification device 500 (an example of the reception device).

The key generation device 100 executes the Setup algorithm taking as input a security parameter λ and an upper limit n for the number of attributes for a ciphertext, and thereby generates a public parameter pk and a master key sk. Then, the key generation device 100 publishes the generated public parameter pk. The key generation device 100 also executes the KeyGen algorithm taking as input an attribute set Γ, and thereby generates a signature key sk_(Γ), and transmits the signature key sk_(Γ) to the signature device 400 in secrecy.

The signature device 400 executes the Sig algorithm taking as input the public parameter pk, a message m, the access structure S, and the signature key sk_(Γ), and thereby generates a signature σ. The signature device 400 transmits the generated signature σ, the message m, and the access structure S to the verification device 500.

The verification device 500 executes the Ver algorithm taking as input the public parameter pk, the message m, the access structure S, and the signature σ, and outputs a value “1” or a value “0”.

<3. Signature Scheme>

FIG. 19 is a configuration diagram of the key generation device 100 according to Embodiment 4. FIG. 20 is a configuration diagram of the signature device 400 according to Embodiment 4. FIG. 21 is a configuration diagram of the verification device 500 according to Embodiment 4.

FIG. 22 and FIG. 23 are flowcharts illustrating the operation of the key generation device 100 according to Embodiment 4. FIG. 22 is a flowchart illustrating the process of the Setup algorithm according to Embodiment 4, and FIG. 23 is a flowchart illustrating the process of the KeyGen algorithm according to Embodiment 4. FIG. 24 is a flowchart illustrating the operation of the signature device 400 according to Embodiment 4, and illustrating the process of the Sig algorithm according to Embodiment 4. FIG. 25 is a flowchart illustrating the operation of the verification device 500 according to Embodiment 4, and illustrating the process of the Ver algorithm according to Embodiment 4.

In the following description, H:=(KH_(λ), H_(hk) ^(λ,D)) is a collision-resistant hash function. A collision-resistant hash function is a hash function for which it is difficult to find two inputs that hash to the same output.

Specifically, the following two items apply to a collision-resistant hash function family H associated with the algorithm G_(bpg) and a polynomial poly(λ).

1. A family of key spaces is indexed by λ. Each such key space is a probability space on bit strings denoted by KH_(λ). There exists a probabilistic polynomial-time algorithm whose output distribution on input 1^(λ) is equal to KH_(λ).

2. A family of hash functions is indexed by λ, hk randomly selected from KH_(λ), and D:={0, 1}^(poly(λ)), where each such function H_(hk) ^(λ,D) maps an element of D to F_(q) ^(x) with q being the first element of output param_(G) of algorithm G_(bpg)(1^(λ)). There exists a deterministic polynomial-time algorithm that outputs H_(hk) ^(λ,D)(d) on input 1^(λ), hk, and dεD.

The function and operation of the key generation device 100 will be described.

As illustrated in FIG. 19, the key generation device 100 includes a master key generation part 110, a master key storage part 120, an information input part 130, a decryption key generation part 140, and a key transmission part 150. The master key generation part 110 includes a space generation part 111, a matrix generation part 112, a basis generation part 113, and a key generation part 114. The decryption key generation part 140 includes a random number generation part 143 and a key element generation part 144.

With reference to FIG. 22, the process of the Setup algorithm will be described.

(S701: Space Generation Step)

The space generation part 111 generates a parameter param_(G):=(q, G, G_(T), g, e), similarly as in (S101) of FIG. 9.

Further, the space generation part 111 sets N₀:=4, N₁:=6n, and N₂:=7. Then, with the processing device and for each integer t=0, 1, 2, the space generation part 111 executes G_(dpvs) taking as input the security parameter 1^(λ), N_(t), and the parameter param_(G) of symmetric bilinear pairing groups, and thereby generates a parameter param v_(t):=(q, V_(t), G_(T), A, e) of dual pairing vector spaces.

(S702: Linear Transformation Generation Step)

With the processing device, the matrix generation part 112 generates a linear transformation X_(t) for each integer t=0, 2, as indicated in Formula 199.

$\begin{matrix} {{X_{t}:={{{\left( \chi_{t,i,j} \right)_{i,{j = 1},\ldots\;,N_{t}}\overset{U}{\longleftarrow}{{GL}\left( {N_{t},{??}_{q}} \right)}}\mspace{14mu}{for}\mspace{14mu} t} = 0}},2.} & \left\lbrack {{Formula}\mspace{14mu} 199} \right\rbrack \end{matrix}$

With the processing device, the matrix generation part 112 also generates a linear transformation X₁, as indicated in Formula 200.

$\begin{matrix} {X_{1}\overset{U}{\longleftarrow}{{??}\left( {6,n,{??}_{q}} \right)}} & \left\lbrack {{Formula}\mspace{14mu} 200} \right\rbrack \end{matrix}$

In the following, {μ_(i,j), μ′_(i,j,L)}_(i,j=1, . . . , 6; L=1, . . . , n) denotes non-zero elements in the linear transformation X₁.

(S703: Basis B Generation Step)

With the processing device, the basis generation part 113 generates a basis B*₀, a basis B*₂, a variable B*_(i,j), and a variable B′*_(i,j,L), as indicated in Formula 201.

for t=0, 2, b _(t,i)=(χ_(t,i,1), . . . ,χ_(t,i,N) _(t)

=Σ_(j=1) ^(N) ^(t) χ_(t,i,j) a _(j) for i=1, . . . ,N _(t),

_(t):=(b _(t,1) , . . . ,b _(t,N) _(t) )  [Formula 201] for i, j=1, . . . , 6; L=1, . . . , n, B* _(i,j):=μ_(i,j) g,B′* _(i,j,L):=μ′_(i,j,L) g With the processing device, the basis generation part 113 also generates a basis B₀, a basis B₁, and a basis B₂, as indicated in Formula 202. for t=0, 1, 2, (θ_(t,i,j))_(i,j=1, . . . ,N) _(t) :=ψ·(X _(t) ^(T))⁻¹, b* _(t,i):=(θ_(t,i,1), . . . θ_(t,i,N) _(t)

=Σ_(j=1) ^(N) ^(t) θ_(t,i,j) a _(j) for i=1, . . . ,N _(t),

*_(t):=(b* _(t,1) , . . . ,b _(t,N) _(t) )  [Formula 202]

(S704: Basis B^ Generation Step)

With the processing device, the key generation part 114 generates a basis B^₀, a basis B^₁, a basis B^₂, basis B^*₀, a basis B^*₁, and a basis B^*₂, as indicated in Formula 203.

₀:=(b _(0,1) ,b _(0,4)),

₁:=(b _(1,1) , . . . ,b _(1,n) ,b _(1,4n+1) , . . . ,b _(1,6n)),

₂:=(b _(2,1) ,b _(2,2) ,b _(2,7)),

₁*:=(b _(1,1) *, . . . ,b _(1,n) *,b _(1,3n+1) , . . . ,b _(1,4n)*)={B _(i,j) *,B _(i,j,L)*}_(i=1,4;j=1, . . . ,6;L=1, . . . ,n),

₀*:=(b _(2,1) *,b _(2,2) *,b _(2,5) *,b _(2,6)*)  [Formula 203]

(S705: Hash Key Generation Step)

With the processing device, the master key generation part 110 computes Formula 204, and thereby randomly generates a hash key hk.

$\begin{matrix} {{hk}\overset{R}{\longleftarrow}{KH}_{\lambda}} & \left\lbrack {{Formula}\mspace{14mu} 204} \right\rbrack \end{matrix}$

(S706: Master Key Generation Step)

With the processing device, the key generation part 114 generates a public parameter pk:=(1^(λ), hk, param_(n), {B^_(t)}_(t=0,1,2), {B^*_(t)}_(t=1,2), b*_(0,3)) and a master secret key sk:=b*_(0,1). Then, the key generation part 114 stores the public parameter pk and the master secret key sk in the master key storage part 120. Note that param_(n):=({param_(Vt)}_(t=0,1,2) ,g _(T) :=e(g,g)^(φ)).

In brief, in (S701) through (S706), the key generation device 100 generates the public parameter pk and the master secret key sk by executing the Setup algorithm indicated in Formula 206, the Setup algorithm using an algorithm G^(ABS) _(ob) indicated in Formula 205.

$\begin{matrix} {{\mspace{85mu}{{{{{??}_{ob}^{ABS}\left( {1^{\lambda},6,n} \right)}\text{:}}{{{param}_{??}:={\left( {q,{??},{??}_{T},g,e} \right)\overset{R}{\longleftarrow}{{??}_{bpg}\left( 1^{\lambda} \right)}}},\mspace{20mu}{N_{0}:=4},{N_{1}:={6n}},{N_{2}:=7},{{param}_{{??}_{t}}:={\left( {q,{??}_{t},{??}_{T},{??},e} \right):={{{{??}_{dpvs}\left( {1^{\lambda},N_{t},{param}_{??}} \right)}\mspace{14mu}{for}\mspace{14mu} t} = 0}}},1,2,\mspace{79mu}{\psi\overset{U}{\longleftarrow}{??}_{q}^{x}},{g_{T}:={e\left( {g,g} \right)}^{\psi}},\mspace{79mu}{{param}_{n}:=\left( {\left\{ {param}_{{??}_{t}} \right\}_{{t = 0},1,2},g_{T}} \right)},{X_{t}:={\left( \chi_{t,i,j} \right)_{i,{j = 1},\ldots,N_{t}}\overset{U}{\longleftarrow}{{GL}\left( {N_{t,}{??}_{q}} \right)}}},{{{for}\mspace{14mu} t} = 0},2,\mspace{20mu}{X_{1}\overset{U}{\longleftarrow}{\mathcal{L}\left( {6,n,{??}_{q}} \right)}},\mspace{14mu}{hereafter},\mspace{79mu}\left\{ {\mu_{i,j},\mu_{i,j,L}^{\prime}} \right\}_{i,{j = 1},\ldots,{6;{L = 1}},\ldots,n}}}\mspace{79mu}{{{denotes}\mspace{14mu}{non}\text{-}{zero}\mspace{14mu}{entries}\mspace{14mu}{of}\mspace{14mu} X_{1}},\mspace{20mu}{{{for}\mspace{14mu} t} = 0},2,\mspace{79mu}{b_{t,i}:={\left( {\chi_{t,i,1,\ldots,}\chi_{t,i,N_{t}}} \right)_{??} = {\sum_{j = 1}^{N_{t}}{\chi_{t,i,j}a_{j}}}}}}}\mspace{79mu}\quad}{\quad{{{{for}\mspace{14mu} i} = 1},\ldots\mspace{11mu},N_{t},\mspace{79mu}{{??}_{t}:=\left( {b_{t,1},\ldots\mspace{11mu},b_{t,N_{t}}} \right)},}\quad}{\quad\mspace{76mu}{{{for}\mspace{14mu} i},{j = 1},\ldots\mspace{11mu},{6;{L = 1}},\ldots\mspace{11mu},n,\mspace{79mu}{B_{i,j}^{*}:={\mu_{i,j}g}},{B_{i,j,L}^{\prime}:={{\mu_{i,j,L}^{\prime}g\mspace{79mu}{for}\mspace{14mu} t} = 0}},1,2,\mspace{79mu}{\left( \vartheta_{t,i,j} \right)_{i,{j = 1},\ldots,N_{t}}:={\psi \cdot \left( X_{t}^{T} \right)^{- 1}}},{b_{t,i}^{*}:={\left( {\vartheta_{t,i,1},\ldots\mspace{11mu},\vartheta_{t,i,N_{t}}} \right)_{??} = {\sum_{j = 1}^{N_{t}}{\vartheta_{t,i,j}a_{j}\mspace{14mu}{\quad{{{{for}\mspace{20mu} i} = 1},\ldots\mspace{11mu},N_{t},\mspace{20mu}{{??}_{t}^{*}:={\left( {b_{t,1}^{*},\ldots\mspace{11mu},b_{t,N_{t}}^{*}} \right)\mspace{79mu}{return}\mspace{14mu}\left( {{param}_{n},{??}_{0},{??}_{0}^{*},\mspace{79mu}\left\{ {B_{i,j},B_{i,j,L}^{\prime}} \right\}_{i,{j = 1},\ldots,{6;{L = 1}},\ldots,n},{\left. \quad\mspace{85mu}{{??}_{1}^{*},{??}_{2},{??}_{2}^{*}} \right).}} \right.}}}}}}}}}}} & \left\lbrack {{Formula}\mspace{14mu} 205} \right\rbrack \\ {\mspace{85mu}{{{{Setup}\left( {1^{\lambda},n} \right)}\text{:}}\mspace{20mu}{{{hk}\overset{R}{\longleftarrow}{KH}_{\lambda}},{\left( {{param}_{n},{??}_{0},{??}_{0}^{*},{??}_{1},\left\{ {B_{i,j}^{*},B_{i,j,L}^{\prime*}} \right\}_{i,{j = 1},\ldots,{6;{L = 1}},\ldots,n}} \right)\overset{R}{\longleftarrow}{{??}_{ob}^{ABS}\left( {1^{\lambda},6,n} \right)}},\mspace{20mu}{{\hat{??}}_{0}:=\left( {b_{0,1},b_{0,4}} \right)},{{\hat{??}}_{1}:=\left( {b_{1,1},\ldots\mspace{11mu},b_{1,n},b_{1,{{4n} + 1}},\ldots\mspace{11mu},b_{1,{6n}}} \right)},\mspace{20mu}{{\hat{??}}_{2}:=\left( {b_{2,1},b_{2,2},b_{2,7}} \right)},{{\hat{??}}_{1}^{*}:={\left( {b_{1,1}^{*},\ldots\mspace{11mu},b_{1,n}^{*},b_{1,{{3n} + 1}}^{*},\ldots\mspace{11mu},b_{1,{4n}}^{*}} \right) = \left\{ {B_{i,j}^{*},B_{i,j,L}^{\prime*}} \right\}_{{i = 1},{4;{j = 1}},\ldots,{6;{L = 1}},\ldots,n}}},\mspace{20mu}{{\hat{??}}_{0}^{*}:=\left( {b_{2,1}^{*},b_{2,2}^{*},b_{2,5}^{*},b_{2,6}^{*}} \right)},\mspace{79mu}{{pk}:=\left( {1^{\lambda},{hk},{param}_{n},\mspace{79mu}\left\{ {\hat{??}}_{t} \right\}_{{t = 0},1,2},\left\{ {\hat{??}}_{t}^{*} \right\}_{{t = 1},2},b_{0,3}^{*}} \right)},{{sk}:=b_{0,1}^{*}},\mspace{79mu}{{return}\mspace{14mu}{pk}},{{sk}.}}}} & \left\lbrack {{Formula}\mspace{14mu} 206} \right\rbrack \end{matrix}$

With reference to FIG. 23, the process of the KeyGen algorithm will be described.

The process of (S801) is the same as the process of (S501) in FIG. 16. However, attribute information of a user of a signature key sk_(Γ) is set in p of the access structure S, for example.

(S802: Random Number Generation Step)

With the processing device, the random number generation part 143 generates random numbers, as indicated in Formula 207.

$\begin{matrix} {\omega,\varphi_{0},\varphi_{1},\varphi_{2,1,1},{\varphi_{2,1,2}\varphi_{2,2,1}{\varphi_{2,2,2}\overset{U}{\longleftarrow}{??}_{q}}}} & \left\lbrack {{Formula}\mspace{14mu} 207} \right\rbrack \end{matrix}$

(S803: Key Element Generation Step)

With the processing device, the key element generation part 144 generates an element k*o of the signature key sk_(Γ), as indicated in Formula 208. k ₀*:=(ω,0,φ₀,0)

*₀  [Formula 208]

With the processing device, the key element generation part 144 generates elements L*_(1,j) and L*_(2,j) of the signature key sky, as indicated in Formula 209.

for j=1, . . . , 6 L _(1,j) :=ωB _(1,j)*+φ₁ B _(4,j)*, L _(2,j):=Σ_(L=1) ^(n) y _(L)(ωB _(1,j,L)′*+φ₁ B _(4,j,L)′*) where {right arrow over (y)}:=(y ₁ , . . . ,y _(n)) such that Σ_(j=0) ^(n-1) y _(n-j) z ^(j)=^(n-1-n)′·Π_(j=1) ^(n)′(z−x _(j))  [Formula 209]

With the processing device, the key element generation part 144 also generates elements k*_(2,1) and k*_(2,2) of the signature key sky, as indicated in Formula 210. k _(2,1)*:=(ω(1,0),0,0,φ_(2,1,1),φ_(2,1,2),0)

*₂, k _(2,2)*:=(ω(0,1),0,0,φ_(2,2,1),φ_(2,2,2),0)

*₂  [Formula 210]

(S804: Key Transmission Step)

With the communication device and via the network, for example, the key transmission part 150 transmits the signature key sk_(Γ) having, as elements, the attribute set Γ inputted in (S801) and k*₀, L*_(1,j), L*_(2,j), k*_(2,1), and k*_(2,2) generated in (S803) to the signature device 400 in secrecy. As a matter of course, the signature key sk_(Γ) may be transmitted to the signature device 400 by another method.

In brief, in (S801) through (S803), the key generation device 100 generates the signature key sk_(Γ) by executing the KeyGen algorithm indicated in Formula 211. In (S804), the key generation device 100 transmits the generated signature key sk_(Γ) to the decryption device 300.

$\begin{matrix} {\mspace{79mu}{{{{{KeyGen}\left( {{pk},{sk},{\Gamma = \left\{ {x_{1},\ldots\mspace{11mu},\left. x_{n^{\prime}} \middle| {x_{j} \in {??}_{q}^{x}} \right.} \right\}}} \right)}\text{:}}\mspace{20mu}{\omega,\varphi_{0},\varphi_{1},\varphi_{2,1,1},\varphi_{2,1,2},\varphi_{2,2,1},{\varphi_{2,2,2}\overset{U}{\longleftarrow}{??}_{q}},{\overset{->}{y}:={{\left( {y_{1},\ldots\mspace{11mu},y_{n}} \right)\mspace{14mu}{such}\mspace{14mu}{that}\mspace{11mu}{\sum_{j = 0}^{n - 1}{y_{n - j}z^{j}}}} = {z^{n - 1 - n^{\prime}} \cdot {\prod_{j = 1}^{n^{\prime}}\left( {z - x_{j}} \right)}}}},\mspace{20mu}{k_{0}^{*}:=\left( {\omega,0,\varphi_{0},0} \right)_{{??}_{0}^{*}}},\mspace{20mu}{L_{1,j}:={{\omega\; B_{1,j}^{*}} + {\varphi_{1}B_{4,j}^{*}}}},\mspace{20mu}{L_{2,j}:={\sum_{L = 1}^{n}{y_{L}\left( {{\omega\; B_{1,j,L}^{\prime*}} + {\varphi_{1}B_{4,j,L}^{\prime*}}} \right)}}}}}\mspace{20mu}{{{{for}\mspace{14mu} j} = 1},\ldots\mspace{11mu},6,\mspace{20mu}{k_{2,1}^{*}:=\left( {{\omega\left( {1,0} \right)},0,0,\varphi_{2,1,1},\varphi_{2,1,2},0} \right)_{{??}_{2}^{*}}},\mspace{20mu}{k_{2,2}^{*}:=\left( {{\omega\left( {0,1} \right)},0,0,\varphi_{2,2,1},\varphi_{2,2,2},0} \right)_{{??}_{2}^{*}}},\mspace{20mu}{{sk}_{\Gamma}:=\left( {\Gamma,k_{0}^{*},\left\{ {L_{1,j},L_{2,j}} \right\}_{{j = 1},\ldots\;,6},\left\{ k_{2,t}^{*} \right\}_{{t = 1},2}} \right)},\mspace{20mu}{{return}\mspace{14mu}{{sk}_{\Gamma}.}}}}} & \left\lbrack {{Formula}\mspace{14mu} 211} \right\rbrack \end{matrix}$

Note that the element k*₁ is defined as indicated in Formula 212, based on {L*_(1,j), L*_(2,j)}_(j=1, . . . , 6) and the vector {right arrow over (y)}.

$\begin{matrix} {{k_{1}^{*}:=\left( \;{\overset{\overset{n}{︷}}{{y_{1}L_{1,1}},\ldots\mspace{11mu},{y_{n - 1}L_{1,1}},L_{2,1},}\overset{\overset{n}{︷}}{{{y_{1}L_{1,2}},\ldots\mspace{11mu},{y_{n - 1}L_{1,2}},L_{2,2}}\;}} \right)},{\ldots{\quad{{\left( \;{\overset{\overset{n}{︷}}{{y_{1}L_{1,5}},\ldots\mspace{11mu},{y_{n - 1}L_{1,5}},L_{2,5},}\overset{\overset{n}{︷}}{{{y_{1}L_{1,6}},\ldots\mspace{11mu},{y_{n - 1}L_{1,6}},L_{2,6}}\;}} \right)\;\mspace{20mu}{that}\mspace{14mu}{is}},\mspace{14mu}{k_{1}^{*} = \left( {\overset{\overset{n}{︷}}{{\omega\;\overset{->}{y}},}\overset{\overset{2n}{︷}}{0^{2n},}\overset{\overset{n}{︷}}{{\varphi_{1}\overset{->}{y}},}\overset{\overset{2n}{︷}}{0^{2n}}} \right)_{{??}_{1}^{*}}},}}}} & \left\lbrack {{Formula}\mspace{14mu} 212} \right\rbrack \end{matrix}$

The function and operation of the signature device 400 will be described.

As illustrated in FIG. 20, the signature device 400 includes a signature key receiving part 410, an information input part 420, a complementary coefficient computation part 430, a signature data generation part 440, and a data transmission part 450. The signature data generation part 440 includes a random number generation part 441 and a signature element generation part 442.

With reference to FIG. 24, the process of the Sig algorithm will be described.

(S901: Signature Key Receiving Step)

With the communication device and via the network, for example, the signature key receiving part 410 receives the signature key sk_(Γ) generated by the key generation device 100. The signature key receiving part 410 also receives the public parameter pk generated by the key generation device 100.

(S902: Information Input Step)

With the input device, the information input part 420 takes as input an access structure S:=(M, ρ). With the input device, the information input part 420 also takes as input a message m to which a signature is to be appended.

(S903: Span Program Computation Step)

With the processing device, the complementary coefficient computation part 430 determines whether or not the access structure S inputted in (S902) accepts the attribute set Γ included in the signature key sk_(Γ) received in (S901).

If the access structure S accepts the attribute set Γ (accept in S903), the complementary coefficient computation part 430 advances the process to (S904). If the access structure S rejects the attribute set Γ (rejects in S903), the complementary coefficient computation part 430 ends the process.

(S904: Complementary Coefficient Computation Step)

With the processing device, the complementary coefficient computation part 430 computes a vector {right arrow over (y)} such that Formula 213 is satisfied, I such that Formula 214 is satisfied, and a constant (complementary coefficient) α_(i) for each integer i included in I. {right arrow over (y)}:=(y ₁ , . . . ,y _(n)) such that Σ_(j=0) ^(n-1) y _(n-j) z ^(j)=^(n-1-n)′·Π_(j=1) ^(n)′(z−x _(j))  [Formula 213]

$\begin{matrix} {\mspace{79mu}{{\overset{->}{1} = {\sum\limits_{i \in I}{\alpha_{i}M_{i}}}}\mspace{20mu}{{{where}\mspace{14mu} M_{i}\mspace{14mu}{is}\mspace{14mu}{the}\mspace{14mu} i\text{-}{th}\mspace{14mu}{row}\mspace{14mu}{of}\mspace{14mu} M},{and}}\mspace{14mu}{I \subseteq \left\{ {i \in \left\{ {1,\ldots\mspace{11mu},L} \right\}} \middle| {\left\lbrack {{\rho(i)} = {v_{i} ⩓ {v_{i} \in \Gamma}}} \right\rbrack ⩔ \left. \quad\left\lbrack {{\rho(i)} = {{⫬ v_{i}} ⩓ {v_{i} \notin \Gamma}}} \right\rbrack \right\}} \right.}}} & \left\lbrack {{Formula}\mspace{14mu} 214} \right\rbrack \end{matrix}$

(S905: Random Number Generation Step)

With the processing device, the random number generation part 441 generates random numbers, as indicated in Formula 215.

$\begin{matrix} {{\xi\overset{U}{\longleftarrow}{??}_{q}^{x}},{\left( \beta_{i} \right)\overset{U}{\longleftarrow}\left\{ {\left. \left( {\beta_{1},\ldots\mspace{11mu},\beta_{L}} \right) \middle| {\sum_{i = 1}^{L}{\beta_{i}M_{i}}} \right. = \overset{->}{0}} \right\}}} & \left\lbrack {{Formula}\mspace{14mu} 215} \right\rbrack \end{matrix}$

(S906: Signature Element Generation Step)

With the processing device, the signature element generation part 442 generates an element s*₀ of a signature σ, as indicated in Formula 216. s ₀ *:=ξk ₀ *+r ₀*  [Formula 216] Note that r*₀ is as indicated in Formula 217.

$\begin{matrix} {{r_{0}^{*}\overset{U}{\longleftarrow}{span}}\left\langle b_{0,3}^{*} \right\rangle} & \left\lbrack {{Formula}\mspace{14mu} 217} \right\rbrack \end{matrix}$

With the processing device, the signature element generation part 442 also generates an element s*_(i) of the signature σ for each integer i=1, . . . , L, as indicated in Formula 218. s _(i)*:=γ_(i) ·ξk ₁*+Σ_(t=1) ^(n) u _(i,l) ·b _(1,l) *+r _(i)*, for i=1, . . . ,L  [Formula 218]

Note that r*_(i) is as indicated in Formula 219.

$\begin{matrix} {{r_{i}^{*}\overset{U}{\longleftarrow}{span}}\left\langle {b_{1,{{3n} + 1}}^{*},\ldots\mspace{11mu},b_{1,{4n}}^{*}} \right\rangle} & \left\lbrack {{Formula}\mspace{14mu} 219} \right\rbrack \end{matrix}$

Note also that γ_(i) and {right arrow over (u)}_(i′):=(u_(i,i′)(i′=1, . . . , n) are as indicated in Formula 220.

$\begin{matrix} {{\gamma_{i},{{\overset{->}{u}}_{i}:={\left( {u_{i,1},\ldots\mspace{11mu},u_{i,n}} \right)\mspace{14mu}{are}\mspace{14mu}{defined}\mspace{14mu}{as}}}}{{{{{if}\mspace{14mu} i} \in I} ⩓ {\rho(i)}} = {\overset{->}{v}}_{i}},{\gamma_{i}:=\alpha_{i}},{{\overset{->}{u}}_{i}\overset{U}{\longleftarrow}\left\{ {\left. {\overset{->}{u}}_{i} \middle| {{\overset{->}{u}}_{i} \cdot {\overset{->}{v}}_{i}} \right. = {{0 ⩓ u_{i,1}} = \beta_{i}}} \right\}},{{{{{if}\mspace{14mu} i} \in I} ⩓ {\rho(i)}} = {⫬ {\overset{->}{v}}_{i}}},{\gamma_{i}:=\frac{\alpha_{i}}{{\overset{->}{v}}_{i} \cdot \overset{->}{y}}},{{\overset{->}{u}}_{i}\overset{U}{\longleftarrow}\left\{ {\left. {\overset{->}{u}}_{i} \middle| {{\overset{->}{u}}_{i} \cdot {\overset{->}{v}}_{i}} \right. = \beta_{i}} \right\}},{{{{{if}\mspace{14mu} i} \notin I} ⩓ {\rho(i)}} = {\overset{->}{v}}_{i}},{\gamma_{i}:=0},{{\overset{->}{u}}_{i}\overset{U}{\longleftarrow}\left\{ {\left. {\overset{->}{u}}_{i} \middle| {{\overset{->}{u}}_{i} \cdot {\overset{->}{v}}_{i}} \right. = {{0 ⩓ {\overset{->}{u}}_{i,1}} = \beta_{i}}} \right\}},{{{{{if}\mspace{14mu} i} \notin I} ⩓ {\rho(i)}} = {⫬ {\overset{->}{v}}_{i}}},{\gamma_{i}:=0},{{\overset{->}{u}}_{i}\overset{U}{\longleftarrow}\left\{ {\left. {\overset{->}{u}}_{i} \middle| {{\overset{->}{u}}_{i} \cdot {\overset{->}{v}}_{i}} \right. = \beta_{i}} \right\}}} & \left\lbrack {{Formula}\mspace{14mu} 220} \right\rbrack \end{matrix}$

With the processing device, the signature element generation part 442 also generates an element S*_(L+1) of the signature σ, as indicated in Formula 221. s _(L+1)*:=ξ(k _(2,1) *+H _(hk) ^(λ,D)(m∥

)·k _(2,2)*)+r _(L+1)*  [Formula 221] Note that r*_(L+1) is as indicated in Formula 222.

$\begin{matrix} {{r_{L + 1}^{*}\overset{U}{\longleftarrow}{span}}\left\langle {b_{2,5}^{*},b_{2,6}^{*}} \right\rangle} & \left\lbrack {{Formula}\mspace{14mu} 222} \right\rbrack \end{matrix}$

(S907: Data Transmission Step)

With the communication device and via the network, for example, the data transmission part 450 transmits the signature σ including the element s*₀, s*_(i), and s*_(L+1), the message m, and the access structure S:=(M, ρ) to the verification device 500. As a matter of course, the signature σ may be transmitted to the verification device 500 by another method.

In brief, in (S901) through (S906), the signature device 400 generates the signature σ by executing the Sig algorithm indicated in Formula 223. In (S907), the signature device 400 transmits the generated signature σ to the verification device 500.

$\begin{matrix} {\mspace{79mu}{{{{{Sig}\left( {{pk},{sk}_{\Gamma},m,{{??}:=\left( {M,\rho} \right)}} \right)}:\mspace{20mu}{{If}\mspace{14mu}{??}\mspace{14mu}{accepts}\mspace{14mu}\Gamma}},\mspace{20mu}{{then}\mspace{14mu}{compute}}}{\overset{->}{y}:={{\left( {y_{1},\ldots\mspace{11mu},y_{n}} \right)\mspace{14mu}{such}\mspace{14mu}{that}\mspace{14mu}{\sum_{j = 0}^{n - 1}{y_{n - j}z^{j}}}} = {z^{n - 1 - n^{\prime}} \cdot {\prod_{j = 1}^{n^{\prime}}\left( {z - x_{j}} \right)}}}}\mspace{20mu}{I\mspace{14mu}{and}\mspace{14mu}\left\{ \alpha_{i} \right\}_{i \in I}\mspace{14mu}{such}\mspace{14mu}{that}}\mspace{20mu}{\overset{->}{1} = {\sum\limits_{i \in I}{\alpha_{i}M_{i}}}}\mspace{20mu}{{{where}\mspace{14mu} M_{i}\mspace{14mu}{is}\mspace{14mu}{the}\mspace{20mu} i\text{-}{th}\mspace{14mu}{row}\mspace{14mu}{of}\mspace{14mu} M},{and}}{I\mspace{14mu} \subseteq \left\{ {\left. {i \in \left\{ {1,\ldots\mspace{11mu},L} \right\}} \middle| {\left\lbrack {{\rho(i)} = {v_{i} ⩓ {v_{i} \in \Gamma}}} \right\rbrack ⩔ {\left. \quad\left\lbrack {{\rho(i)} = {{⫬ v_{i}} ⩓ {v_{i} \notin \Gamma}}} \right\rbrack \right\}{\xi\overset{U}{\longleftarrow}{??}_{q}^{x}}}} \right.,\;{\left( \beta_{i} \right)\overset{U}{\longleftarrow}\left\{ {\left. \left( {\beta_{1},\ldots\mspace{11mu},\beta_{L}} \right) \middle| {\sum_{i = 1}^{L}{\beta_{i}M_{i}}} \right. = \overset{->}{0}} \right\}},\mspace{20mu}{s_{0}^{*}:={{\xi\; k_{0}^{*}} + r_{0}^{*}}},\;{{where}\mspace{14mu}{r_{0}^{*}\overset{U}{\longleftarrow}{span}}\left\langle b_{0,3}^{*} \right\rangle},} \right.}}} & \left\lbrack {{Formula}\mspace{14mu} 223\text{-}1} \right\rbrack \\ {{{\left. {{{s_{i}^{*}:={{{\gamma_{i} \cdot \xi}\; k_{1}^{*}} + {\sum_{t = 1}^{n}{u_{i,t} \cdot b_{1,t}^{*}}} + r_{i}^{*}}},{{\overset{->}{v}}_{i}:=\left( {v_{i}^{n - 1},\ldots\mspace{11mu},v_{i},1} \right)},\mspace{11mu}{{{for}\mspace{14mu} i} = 1},\ldots\mspace{11mu},L,\mspace{20mu}{{where}\mspace{14mu}{r_{i}^{*}\overset{U}{\longleftarrow}{span}}\left\langle {b_{1,{{3n} + 1}}^{*},\ldots\mspace{11mu},b_{1,{4n}}^{*}} \right\rangle},\mspace{20mu}\gamma_{i},{{\overset{->}{u}}_{i}:={\left( {u_{i,1},\ldots\mspace{11mu},u_{i,n}} \right)\mspace{14mu}{are}\mspace{14mu}{defined}\mspace{14mu}{as}}}}\mspace{20mu}{{{{{{if}\mspace{14mu} i} \in I} ⩓ {\rho(i)}} = {\overset{->}{v}}_{i}},\mspace{20mu}{\gamma_{i}:=\alpha_{i}},\;{{\overset{->}{u}}_{i}\overset{U}{\longleftarrow}\left\{ {\left. {\overset{->}{u}}_{i} \middle| {{\overset{->}{u}}_{i} \cdot {\overset{->}{v}}_{i}} \right. = {{0 ⩓ u_{i,1}} = \beta_{i}}} \right\}},\mspace{20mu}{{{{{if}\mspace{14mu} i} \in I} ⩓ {\rho(i)}} = {⫬ {\overset{->}{v}}_{i}}},\mspace{20mu}{\gamma_{i}:=\frac{\alpha_{i}}{{\overset{->}{v}}_{i} \cdot \overset{->}{y}}},\;{{\overset{->}{u}}_{i}\overset{U}{\longleftarrow}\left\{ {\left. {\overset{->}{u}}_{i} \middle| {{\overset{->}{u}}_{i} \cdot {\overset{->}{v}}_{i}} \right. = \beta_{i}} \right\}},\mspace{20mu}{{{{{if}\mspace{14mu} i} \notin I} ⩓ {\rho(i)}} = {\overset{->}{v}}_{i}},\mspace{20mu}{\gamma_{i}:=0},\;{{\overset{->}{u}}_{i}\overset{U}{\longleftarrow}\left\{ {\left. {\overset{->}{u}}_{i} \middle| {{\overset{->}{u}}_{i} \cdot {\overset{->}{v}}_{i}} \right. = {{0 ⩓ {\overset{->}{u}}_{i,1}} = \beta_{i}}} \right\}},\mspace{20mu}{{{{{if}\mspace{14mu} i} \notin I} ⩓ {\rho(i)}} = {⫬ {\overset{->}{v}}_{i}}},\mspace{20mu}{\gamma_{i}:=0},\;{{\overset{->}{u}}_{i}\overset{U}{\longleftarrow}\left\{ {\left. {\overset{->}{u}}_{i} \middle| {{\overset{->}{u}}_{i} \cdot {\overset{->}{v}}_{i}} \right. = \beta_{i}} \right\}}}\mspace{20mu}{s_{L + 1}^{*}:={{\xi\left( {k_{2,1}^{*} + {{H_{hk}^{\lambda,D}\left( m \right.}{??}}} \right)} \cdot k_{2,2}^{*}}}} \right) + r_{L + 1}^{*}}\mspace{20mu}{{{where}\mspace{14mu}{r_{L + 1}^{*}\overset{U}{\longleftarrow}{span}}\left\langle {b_{2,5}^{*},b_{2,6}^{*}} \right\rangle},\mspace{20mu}{{{return}\mspace{14mu}\sigma}:={\left( {s_{0}^{*},\ldots\mspace{11mu},s_{L + 1}^{*}} \right).}}}}\mspace{14mu}} & \left\lbrack {{Formula}\mspace{14mu} 223\text{-}2} \right\rbrack \end{matrix}$

The function and operation of the verification device 500 will be described.

As illustrated in FIG. 21, the verification device 500 includes a public parameter receiving part 510, a data receiving part 520, a verification data generation part 530, and a verification part 540. The verification data generation part 530 includes an f vector generation part 531, an s vector generation part 532, a random number generation part 533, and a verification element generation part 534.

With reference to FIG. 25, the process of the Ver algorithm will be described.

(S1001: Public Parameter Receiving Step)

With the communication device and via the network, for example, the public parameter receiving part 510 receives the public parameter pk generated by the key generation device 100.

(S1002: Signature Receiving Step)

With the communication device and via the network, for example, the data receiving part 520 receives the signature c transmitted by the signature device 400.

(S1003: f Vector Generation Step)

With the processing device, the f vector generation part 531 randomly generates a vector {right arrow over (f)}, as indicated in Formula 224.

$\begin{matrix} {\overset{->}{f}\overset{U}{\longleftarrow}{??}_{q}^{r}} & \left\lbrack {{Formula}\mspace{14mu} 224} \right\rbrack \end{matrix}$

(S1004: s Vector Generation Step)

With the processing device, the s vector generation part 532 generates a vector {right arrow over (s)}^(T):=(s₁, . . . , s_(L))^(T), as indicated in Formula 225. {right arrow over (s)} ^(T):=(s ₁ , . . . ,s _(L))^(T) :=M·{right arrow over (f)} ^(T)  [Formula 225]

With the processing device, the s vector generation part 532 also generates a value so, as indicated in Formula 226. s ₀:={right arrow over (1)}·{right arrow over (f)} ^(T)  [Formula 226]

(S1005: Random Number Generation Step)

With the processing device, the random number generation part 533 generates random numbers, as indicated in Formula 227.

$\begin{matrix} {\eta_{0},\eta_{L + 1},\theta_{L + 1},{s_{L + 1}\overset{U}{\longleftarrow}{??}_{q}},{{{{\overset{->}{\eta}}_{i}\overset{U}{\longleftarrow}{??}_{q}^{2n}}\mspace{31mu}{for}\mspace{14mu} i} = 1},\ldots\mspace{11mu},L,{{{\theta_{i}\overset{U}{\longleftarrow}{??}_{q}}\mspace{31mu}{for}\mspace{14mu} i} = 1},\ldots\mspace{11mu},L} & \left\lbrack {{Formula}\mspace{14mu} 227} \right\rbrack \end{matrix}$

(S1006: Verification Element Generation Step)

With the processing device, the verification element generation part 534 generates an element c₀ of a verification key, as indicated in Formula 228. c ₀:=(−s ₀ −s _(L+1),0,0,η₀)

₀  [Formula 228]

With the processing device, the verification element generation part 534 also generates an element c_(i) of the verification key for each integer i=1, . . . , L, as indicated in Formula 229.

$\begin{matrix} {{{{{for}\mspace{14mu} i} = 1},\ldots\mspace{11mu},L,{{\overset{->}{v}}_{i}:=\left( {v_{i}^{n - 1},\ldots\mspace{11mu},v_{i},1} \right)},{{{if}\mspace{14mu}{\rho(i)}} = v_{i}}}{{c_{i}:=\begin{pmatrix} \overset{\overset{n}{︷}}{{{s_{i}\;{\overset{->}{e}}_{1}} + {\theta_{i}{\overset{->}{v}}_{t}}},} & \overset{\overset{2n}{︷}}{0^{2n},} & \overset{\overset{n}{︷}}{0^{n},} & \overset{\overset{2n}{︷}}{{\overset{->}{\eta}}_{i}} \end{pmatrix}_{{??}_{1}}},{{{if}\mspace{14mu}{\rho(i)}} = {⫬ v_{i}}},{c_{i}:=\begin{pmatrix} \overset{\overset{n}{︷}}{{s_{i}\;{\overset{->}{v}}_{t}},} & \overset{\overset{2n}{︷}}{0^{2n},} & \overset{\overset{n}{︷}}{0^{n},} & \overset{\overset{2n}{︷}}{{\overset{->}{\eta}}_{i}} \end{pmatrix}_{{??}_{1}}}}} & \left\lbrack {{Formula}\mspace{14mu} 229} \right\rbrack \end{matrix}$

With the processing device, the verification element generation part 534 also generates an element c_(L+1) of the verification key, as indicated in Formula 230. c _(L+1):=(s _(L+1)−θ_(L+1) H _(hk) ^(λ,D)(m∥

),θ_(L+1),0,0,0,0,η_(L+1))

₂  [Formula 230]

(S1007: First Pairing Operation Step)

With the processing device, the verification part 540 computes a pairing operation e (b_(0,1), s*₀).

If the result of computing the pairing operation e (b_(0,1), s*₀) is a value 1, the verification part 540 outputs a value 0 indicating that the verification of the signature has failed, and ends the process. If the result of computing the pairing operation e (b_(0,1), s*₀) is not a value 1, the verification part 540 advances the process to S1008.

(S1008: Second Pairing Operation Step)

With the processing device, the verification part 540 computes a pairing operation indicated in Formula 231. Π_(i=0) ^(L+1) e(c _(i) ,s _(i)*)  [Formula 231]

If the result of computing the pairing operation indicated in Formula 231 is a value 1, the verification part 540 outputs a value 1 indicating that the verification of the signature has succeeded. If the result is other than a value 1, the verification part 540 outputs a value 0 indicating that the verification of the signature has failed.

In brief, in (S1001) through (S1008), the verification device 500 verifies the signature σ by executing the Ver algorithm indicated in Formula 232.

$\begin{matrix} {\mspace{79mu}{{{Ver}\left( {{pk},m,{{??}:=\left( {M,\rho} \right)},\sigma} \right)}{{\overset{->}{f}\overset{U}{\longleftarrow}{??}_{q}^{r}},{{\overset{->}{s}}^{T}:={\left( {s_{1},\ldots\mspace{11mu},s_{L}} \right)^{T}:={M \cdot {\overset{->}{f}}^{T}}}},{s_{0}:={\overset{->}{1} \cdot {\overset{->}{f}}^{T}}},\mspace{20mu}\eta_{0},\eta_{L + 1},\theta_{L + 1},{s_{L + 1}\overset{U}{\longleftarrow}{??}_{q}},\mspace{20mu}{c_{0}:=\left( {{{- s_{0}} - s_{L + 1}},0,0,\eta_{0}} \right)_{{??}_{0}}},\mspace{20mu}{{{for}\mspace{14mu} i} = 1},\ldots\mspace{11mu},L,{{\overset{->}{v}}_{i}:=\left( {v_{i}^{n - 1},\ldots\mspace{11mu},v_{i},1} \right)},\mspace{20mu}{{{if}\mspace{14mu}\rho(i)} = v_{i}},\mspace{20mu}{{{if}\mspace{14mu} s_{i}^{*}} \notin {??}_{1}},{{return}\mspace{14mu} 0},\mspace{20mu}{{else}\mspace{14mu}{\theta_{i}\overset{U}{\longleftarrow}{??}_{q}}},{{\overset{->}{\eta}}_{i}\overset{U}{\longleftarrow}{??}_{q}^{2n}},\mspace{20mu}{c_{i}:=\begin{pmatrix} \overset{\overset{n}{︷}}{{{s_{i}\;{\overset{->}{e}}_{t,1}} + {\theta_{i}{\overset{->}{v}}_{t}}},} & \overset{\overset{2n}{︷}}{0^{2n},} & \overset{\overset{n}{︷}}{0^{n},} & \overset{\overset{2n}{︷}}{{\overset{->}{\eta}}_{i}} \end{pmatrix}_{{??}_{1}}},\mspace{20mu}{{{if}\mspace{14mu}{\rho(i)}} = {⫬ v_{i}}},\mspace{20mu}{{{if}\mspace{14mu} s_{i}^{*}} \notin {??}_{1}},{{return}\mspace{14mu} 0},\mspace{20mu}{{else}\mspace{14mu}{\theta_{i}\overset{U}{\longleftarrow}{??}_{q}}},{{\overset{->}{\eta}}_{i}\overset{U}{\longleftarrow}{??}_{q}^{2n}},\mspace{20mu}{c_{i}:=\begin{pmatrix} \overset{\overset{n}{︷}}{{s_{i}\;{\overset{->}{v}}_{t}},} & \overset{\overset{2n}{︷}}{0^{2n},} & \overset{\overset{n}{︷}}{0^{n},} & \overset{\overset{2n}{︷}}{{\overset{->}{\eta}}_{i}} \end{pmatrix}_{{??}_{1}}}}{c_{L + 1}:=\left( {{s_{L + 1} - {\theta_{L + 1}{H_{hk}^{\lambda,D}\left( {{m\left. {??} \right)},\theta_{L + 1},0,0,0,0,\eta_{L + 1}} \right)}_{{??}_{2}}}},\mspace{20mu}{{{return}\mspace{14mu} 0\mspace{14mu}{if}\mspace{14mu}{e\left( {b_{0,1},s_{0}^{*}} \right)}} = 1},\mspace{20mu}{{{return}\mspace{14mu} 1\mspace{14mu}{if}\mspace{14mu}{\prod_{i = 0}^{L + 1}{e\left( {c_{i},s_{i}^{*}} \right)}}} = 1},\mspace{20mu}{{return}\mspace{14mu} 0\mspace{14mu}{{otherwise}.}}} \right.}}} & \left\lbrack {{Formula}\mspace{14mu} 232} \right\rbrack \end{matrix}$

As described above, it is possible to construct the ABS scheme to which the CP-ABE scheme described in Embodiment 2 is applied.

Similarly as in the CP-ABE scheme described in Embodiment 2 in which the size of the decryption key sk_(Γ) can be reduced, the size of the signature key sk_(Γ) can be reduced in the ABS scheme described in Embodiment 4.

The ABS scheme to which the CP-ABE scheme described in Embodiment 2 is applied has been described herein. It is also possible to construct an ABS scheme to which the CP-FE scheme described in Embodiment 3 is applied by applying the concept of Embodiment 3 to the ABS scheme described in Embodiment 4.

Embodiment 5

In the above embodiments, the methods for implementing the cryptographic processes in dual vector spaces have been described. In Embodiment 5, a method for implementing the cryptographic processes in dual modules will be described.

That is, in the above embodiments, the cryptographic processes are implemented in cyclic groups of prime order q. However, when a ring R is expressed using a composite number M as indicated in Formula 233, the cryptographic processes described in the above embodiments can be adapted to a module having the ring R as a coefficient.

  [Formula 233] where

: integer, and M: composite number.

By changing F_(q) to R in the algorithms described in the above embodiments, the cryptographic processes in dual additive groups can be implemented.

In the above embodiments, the encoding part, the hidden part, the secret key randomness part, and the ciphertext randomness part are n-, 2n-, 2n- and n-dimensional, respectively, and the basis B₁ and basis B*₁ are 6n-dimensional. However, it is not limited to this, and the hidden part, the secret key randomness part, and the ciphertext randomness part may be u-, w-, and z-dimensional not depending on n, respectively, and the basis B₁ and basis B*₁ may be n+u+w+z-dimensional, where u, w, and z are integers of 0 or greater.

In the above description, in the case of KP, an element of a ciphertext is generated using a first vector, and an element of a decryption key is generated using a second vector, in order to reduce the size of the ciphertext. However, in the case of KP, an element of a decryption key may be generated using a first vector, and an element of a ciphertext may be generated using a second vector, in order to reduce the size of the decryption key.

Similarly, in the above description, in the case of CP, an element of a decryption key is generated using a first vector, and an element of a ciphertext is generated using a second vector, in order to reduce the size of the decryption key. However, in the case of CP, an element of a ciphertext may be generated using a first vector, and an element of a decryption key may be generated using a second vector, in order to reduce the size of the ciphertext.

In the above embodiments, a single key generation device 100 generates a decryption key. However, a single decryption key may be generated by a plurality of key generation devices 100 by combining the algorithms of the above embodiments with a multi-authority scheme described in Non-Patent Literature 3.

From the view point of security proof, in the above embodiments, ρ(i) for each integer i=1, . . . , L may be limited to a positive tuple (t, {right arrow over (v)}) or negative tuple

(t, {right arrow over (v)}) for respectively different identification information t.

In other words, when ρ(i)=(t, {right arrow over (v)}) or ρ(i)=

(t, {right arrow over (v)}), let a function ρ^(˜) be map of {1, . . . , L}→{1, . . . , d} such that ρ^(˜)(i)=t. In this case, ρ^(˜) may be limited to injection. Note that ρ(i) is ρ(i) in the access structure S:=(M, ρ(i)) described above.

FIG. 26 is a diagram illustrating an example of a hardware configuration of each device (the key generation device 100, the encryption device 200, the decryption device 300, the signature device 400, and the verification device 500) of the cryptographic system 10 presented in Embodiments 1 to 5.

Each device of the cryptographic system 10 is a computer, and each element of each device of the cryptographic system 10 can be implemented by a program.

As the hardware configuration of each device of the cryptographic system 10, an arithmetic device 901, an external storage device 902, a main storage device 903, a communication device 904, and an input/output device 905 are connected to a bus.

The arithmetic device 901 is a CPU (Central Processing Unit) or the like that executes programs. The external storage device 902 is, for example, a ROM (Read Only Memory), a flash memory, a hard disk device, or the like. The main storage device 903 is, for example, a RAM (Random Access Memory) or the like. The communication device 904 is, for example, a communication board or the like. The input/output device 905 is, for example, a mouse, a keyboard, a display device, or the like.

The programs are normally stored in the external storage device 902. The programs are loaded into the main storage device 903 to be sequentially read and executed by the arithmetic device 901.

The programs are those that implement the functions described as the master key generation part 110, the master key storage part 120, the information input part 130, the decryption key generation part 140, the key transmission part 150, the public parameter receiving part 210, the information input part 220, the encrypted data generation part 230, the data transmission part 240, the decryption key receiving part 310, the data receiving part 320, the span program computation part 330, the complementary coefficient computation part 340, the decryption part 350, the signature key receiving part 410, the information input part 420, the complementary coefficient computation part 430, the signature data generation part 440, the data transmission part 450, the public parameter receiving part 510, the data receiving part 520, the verification data generation part 530, and the verification part 540.

Further, an operating system (OS) is also stored in the external storage device 902. At least part of the OS is loaded into the main storage device 903, and the arithmetic device 901 executes the above-described programs while executing the OS.

Information, data, signal values, and variable values described as the “public parameter pk”, the “master secret key sk”, the “decryption keys sk_(Γ) and sk_(S)”, the “ciphertexts ct_(S) and Ct_(Γ)”, the “Signature Key Sk_(Γ)”, the “Verification Key”, the “Access structure S”, the “attribute set Γ”, the “message m”, the “signature σ”, and so on in the description of Embodiments 1 to 5 are stored as files in the main storage device 903.

The configuration of FIG. 26 indicates an example of the hardware configuration of each device of the cryptographic system 10. The hardware configuration of each device of the cryptographic system 10 is not limited to the configuration of FIG. 26, and may be a different configuration.

REFERENCE SIGNS LIST

-   -   100: key generation device, 110: master key generation part,         111: space generation part, 112: matrix generation part, 113:         basis generation part, 114: key generation part, 120: master key         storage part, 130: information input part, 140: decryption key         generation part, 141: f vector generation part, 142: s vector         generation part, 143: random number generation part, 144: key         element generation part, 150: key transmission part, 200:         encryption device, 210: public parameter receiving part, 220:         information input part, 230: encrypted data generation part,         231: random number generation part, 232: cipher element         generation part, 233: f vector generation part, 234: s vector         generation part, 240: data transmission part, 300: decryption         device, 310: decryption key receiving part, 320: data receiving         part, 330: span program computation n part, 340: complementary         coefficient computation part, 350: decryption part, 400:         signature device, 410: signature key receiving part, 420:         information input part, 430: complementary coefficient         computation part, 440: signature data generation part, 441:         random number generation part, 442: signature element generation         part, 450: data transmission part, 500: verification device,         510: public parameter receiving part, 520: data receiving part,         530: verification data generation part, 531: f vector generation         part, 532: s vector generation part, 533: random number         generation part, 534: verification element generation part, and         540: verification part 

The invention claimed is:
 1. A cryptographic system to perform a cryptographic process using a basis B and a basis B*, the cryptographic system comprising: processing circuitry to: generate a transmission-side vector being a vector in the basis B and being generated using one vector of a first vector consisting of coefficients y_(j) (j=1, . . . , n) of a polynomial having attribute information x_(i) (i=1, . . . , n′, n′ being an integer from 1 to n−1, n being an integer of 2 or greater) as roots and a second vector consisting of v₁ ^(i) (i=0, . . . , n−1) being a power of predicate information v₁; perform a pairing operation on the transmission-side vector and a reception-side vector being a vector in the basis B* and being generated using another vector of the first vector and the second vector; and generate at least one of a ciphertext, decryption key and signature output of reduced size containing the transmission-side vector or reception-side vector to reduce processing time of an encryption or decryption process.
 2. The cryptographic system according to claim 1, wherein the basis B and the basis B* are bases which are generated by transforming a basis A by using a sparse matrix having at least one value other than a constant value 0 in each row and each column.
 3. A cryptographic system to perform a cryptographic process using a basis B and a basis B*, the cryptographic system comprising: processing circuitry to: generate a transmission-side vector being a vector in the basis B and being generated using one vector of a first vector consisting of coefficients y_(j) (j=1, . . . , n) of a polynomial having attribute information x_(i) (i=1, . . . , n′, n′ being an integer from 1 to n−1, n being an integer of 2 or greater) as roots and a second vector consisting of v₁ ^(i) (i=0, . . . , n−1) being a power of predicate information v₁; perform a pairing operation on the transmission-side vector and a reception-side vector being a vector in the basis B* and being generated using another vector of the first vector and the second vector; and generate at least one of a ciphertext, decryption key, and signature output of reduced size containing the transmission-side vector or reception-side vector to reduce processing time of an encryption or decryption process, wherein the first vector is a vector indicated in Formula 1, and the second vector is a vector indicated in Formula 2 {right arrow over (y)}:=(y ₁ , . . . ,y _(n)) such that Σ_(j=0) ^(n-1) y _(n-j) z ^(j) =z ^(n-1-n′)·(z−x _(j))  [Formula 1] {right arrow over (v)} ₁:=(v ₁ ^(n-1n) , . . . ,v ₁,1)  [Formula 2]
 4. The cryptographic system according to claim 3, wherein the processing circuitry generates at least one of a ciphertext ct_(Γ) including a transmission-side vector c₁ indicated in Formula 3, and decrypts the ciphertext ct_(Γ) by using a decryption key sk_(S) including a reception-side vector k*_(i) indicated in Formula 4 $\begin{matrix} {{c_{1} = \begin{pmatrix} \overset{\overset{n}{︷}}{{\omega\;\overset{->}{y}},} & \ldots \end{pmatrix}_{{??}_{1}}}{where}{\omega\overset{U}{\longleftarrow}{??}_{q}}} & \left\lbrack {{Formula}\mspace{14mu} 3} \right\rbrack \\ {{{{{for}\mspace{14mu} i} = 1},\ldots\mspace{11mu},L,{{{if}\mspace{14mu}{\rho(i)}} = v_{i}},{k_{i}^{*}:=\begin{pmatrix} \overset{\overset{n}{︷}}{{{s_{i}\;{\overset{->}{e}}_{1}} + {\theta_{i}{\overset{->}{v}}_{i}}},} & \ldots \end{pmatrix}_{{??}_{1}^{*}}},{{{if}\mspace{14mu}{\rho(i)}} = {⫬ v_{i}}},{k_{i}^{*}:=\begin{pmatrix} \overset{\overset{n_{t}}{︷}}{{s_{i}\;{\overset{->}{v}}_{i}},} & \ldots \end{pmatrix}_{{??}_{1}^{*}}}}{where}{{\overset{->}{f}\overset{U}{\longleftarrow}{??}_{q}^{r}},{{\overset{->}{s}}^{T}:={\left( {s_{1},\ldots\mspace{11mu},s_{L}} \right)^{T}:={M \cdot {\overset{->}{f}}^{T}}}},{s_{0}:={\overset{->}{1} \cdot {\overset{->}{f}}^{T}}},{\theta_{i}\overset{U}{\longleftarrow}{??}_{q}},{{\overset{->}{v}}_{i}:={\left( {v_{i}^{n - 1},\ldots\mspace{11mu},v_{i},1} \right).}}}} & \left\lbrack {{Formula}\mspace{14mu} 4} \right\rbrack \end{matrix}$
 5. The cryptographic system according to claim 3, wherein the processing circuitry generates at least one of a ciphertext ct_(S) including a transmission-side vector c_(i) indicated in Formula 5, and decrypts the ciphertext ct_(S) by using a decryption key sk_(Γ) including a reception-side vector k*₁ indicated in Formula 6 $\begin{matrix} {{{{{for}\mspace{14mu} i} = 1},\ldots\mspace{11mu},L,{{{if}\mspace{14mu}{\rho(i)}} = v_{i}},{c_{i}:=\begin{pmatrix} \overset{\overset{n}{︷}}{{{s_{i}\;{\overset{->}{e}}_{1}} + {\theta_{i}{\overset{->}{v}}_{i}}},} & \ldots \end{pmatrix}_{{??}_{1}}},{{{if}\mspace{14mu}{\rho(i)}} = {⫬ v_{i}}},{c_{i}:=\begin{pmatrix} \overset{\overset{n_{t}}{︷}}{{s_{i}\;{\overset{->}{v}}_{i}},} & \ldots \end{pmatrix}_{{??}_{1}}}}{where}{\overset{->}{f}\overset{U}{\longleftarrow}{??}_{q}^{r}},{{\overset{->}{s}}^{T}:={\left( {s_{1},\ldots\mspace{11mu},s_{L}} \right)^{T}:={M \cdot {\overset{->}{f}}^{T}}}},{s_{0}:={\overset{->}{1} \cdot {\overset{->}{f}}^{T}}},{\theta_{i}\overset{U}{\longleftarrow}{??}_{q}},{{\overset{->}{v}}_{i}:=\left( {v_{i}^{n - 1},\ldots\mspace{11mu},v_{i},1} \right)}} & \left\lbrack {{Formula}\mspace{14mu} 5} \right\rbrack \\ {{k_{1}^{*} = \begin{pmatrix} \overset{\overset{n}{︷}}{{\omega\;\overset{->}{y}},} & \ldots \end{pmatrix}_{{??}_{1}^{*}}}{where}{{\omega\overset{U}{\longleftarrow}{??}_{q}}.}} & \left\lbrack {{Formula}\mspace{14mu} 6} \right\rbrack \end{matrix}$
 6. The cryptographic system according to claim 3, wherein the processing circuitry generates at least one of a ciphertext ct_(Γ) including a transmission-side vector c_(1.t) indicated in Formula 7, and decrypts the ciphertext ct_(Γ) by using a decryption key sk_(S) including a reception-side vector k*_(i.t) indicated in Formula 8 $\begin{matrix} {{{c_{1,t} = \begin{pmatrix} \overset{\overset{n_{t}}{︷}}{{\omega\;{\overset{->}{y}}_{t}},} & \ldots \end{pmatrix}_{{??}_{1,t}}}{where}\omega\overset{U}{\longleftarrow}{??}_{q}},{{\overset{->}{y}}_{t}:={{\left( {y_{1,t},\ldots\mspace{11mu},y_{n_{t},t}} \right)\mspace{14mu}{such}\mspace{14mu}{that}\mspace{14mu}{\sum_{j = 0}^{n_{t} - 1}{y_{{n_{t} - j},t}z^{j}}}} = {z^{n_{t} - 1 - n_{t}^{\prime}} \cdot {\prod_{j = 1}^{n_{t}^{\prime}}\left( {z - x_{j,t}} \right)}}}}} & \left\lbrack {{Formula}\mspace{14mu} 7} \right\rbrack \\ {{{{for}\mspace{14mu} i} = 1},\ldots\mspace{11mu},L,{{{if}\mspace{14mu}{\rho(i)}} = \left( {t,v_{i}} \right)},{k_{i}^{*}:=\begin{pmatrix} \overset{\overset{n_{t}}{︷}}{{{s_{i}\;{\overset{->}{e}}_{1,t}} + {\theta_{i}{\overset{->}{v}}_{i}}},} & \ldots \end{pmatrix}_{{??}_{1,t}^{*}}},{{{if}\mspace{14mu}{\rho(i)}} = {⫬ \left( {t,v_{i}} \right)}},{k_{i}^{*}:={\begin{pmatrix} \overset{\overset{n_{t}}{︷}}{{s_{i}\;{\overset{->}{v}}_{i}},} & \ldots \end{pmatrix}_{{??}_{1,t}^{*}}{where}{\overset{->}{f}\overset{U}{\longleftarrow}{??}_{q}^{r}}}},{{\overset{->}{s}}^{T}:={\left( {s_{1},\ldots\mspace{11mu},s_{L}} \right)^{T}:={M \cdot {\overset{->}{f}}^{T}}}},{s_{0}:={\overset{->}{1} \cdot {\overset{->}{f}}^{T}}},{\theta_{i}\overset{U}{\longleftarrow}{??}_{q}},{{\overset{->}{v}}_{i}:={\left( {v_{i}^{n_{t} - 1},\ldots\mspace{11mu},v_{i},1} \right).}}} & \left\lbrack {{Formula}\mspace{14mu} 8} \right\rbrack \end{matrix}$
 7. The cryptographic system according to claim 3, wherein the processing circuitry generates at least one of a ciphertext ct_(S) including a transmission-side vector c_(i.t) indicated in Formula 9, and decrypts the ciphertext ct_(S) by using a decryption key sk_(Γ) including a reception-side vector k*_(1.t) indicated in Formula 10 $\begin{matrix} {\mspace{79mu}{{{{{for}\mspace{14mu} i} = 1},\ldots\mspace{11mu},L,\mspace{20mu}{{{if}\mspace{14mu}{\rho(i)}} = \left( {t,v_{i}} \right)},\mspace{20mu}{c_{i}:=\begin{pmatrix} \overset{\overset{n_{t}}{︷}}{{{s_{i}\;{\overset{->}{e}}_{1,t}} + {\theta_{i}{\overset{->}{v}}_{i}}},} & \ldots \end{pmatrix}_{{??}_{1,t}}},\mspace{20mu}{{{if}\mspace{14mu}{\rho(i)}} = {⫬ \left( {t,v_{i}} \right)}},\mspace{20mu}{c_{i}:=\begin{pmatrix} \overset{\overset{n_{t}}{︷}}{{s_{i}\;{\overset{->}{v}}_{i}},} & \ldots \end{pmatrix}_{{??}_{1,t}}}}\mspace{20mu}{where}\mspace{20mu}{{\overset{->}{f}\overset{U}{\longleftarrow}{??}_{q}^{r}},\mspace{20mu}{{\overset{->}{s}}^{T}:={\left( {s_{1},\ldots\mspace{11mu},s_{L}} \right)^{T}:={M \cdot {\overset{->}{f}}^{T}}}},\mspace{20mu}{s_{0}:={\overset{->}{1} \cdot {\overset{->}{f}}^{T}}},\mspace{20mu}{\theta_{i,t}\overset{U}{\longleftarrow}{??}_{q}},\mspace{20mu}{{\overset{->}{v}}_{i}:=\left( {v_{i}^{n_{t} - 1},\ldots\mspace{11mu},v_{i},1} \right)}}}} & \left\lbrack {{Formula}\mspace{14mu} 9} \right\rbrack \\ {\mspace{79mu}{{k_{1,t}^{*} = \begin{pmatrix} \overset{\overset{n_{t}}{︷}}{{\omega\;\overset{->}{y_{t}}},} & \ldots \end{pmatrix}_{{??}_{1,t}^{*}}}\mspace{20mu}{where}\mspace{20mu}{{\omega\overset{U}{\longleftarrow}{??}_{q}},{{\overset{->}{y}}_{t}:={{\left( {y_{1,t},\ldots\mspace{11mu},y_{n_{t},t}} \right)\mspace{14mu}{such}\mspace{14mu}{that}\mspace{14mu}{\sum_{j = 0}^{n_{t} - 1}{y_{{n_{t} - j},t}z^{j}}}} = {z^{n_{t} - 1 - n_{t}^{\prime}} \cdot {\prod_{j = 1}^{n_{t}^{\prime}}{\left( {z - x_{j,t}} \right).}}}}}}}} & \left\lbrack {{Formula}\mspace{14mu} 10} \right\rbrack \end{matrix}$
 8. The cryptographic system according to claim 3, wherein the processing circuitry generates a signature Sig including a transmission-side vector s*_(i) indicated in Formula 11, and verifies the signature Sig by using a verification key vk including a reception-side vector c_(i) indicated in Formula 12 $\begin{matrix} {{{s_{i}^{*}:={{{\gamma_{i} \cdot \xi}\; k_{1}^{*}} + {\sum_{t = 1}^{n}{u_{i,t} \cdot b_{1,t}^{*}}}}},{{{for}\mspace{14mu} i} = 1},\ldots\mspace{11mu},L}{where}{{k_{1}^{*} = \begin{pmatrix} \overset{\overset{n}{︷}}{{\omega\;\overset{->}{y}},} & \ldots \end{pmatrix}_{{??}_{1}^{*}}},{\xi\overset{U}{\longleftarrow}{??}_{q}},\gamma_{i},{{\overset{->}{u}}_{i}:={{{{\left( {u_{i,1},\ldots\mspace{11mu},u_{i,n}} \right)\mspace{14mu}{are}\mspace{14mu}{defined}\mspace{14mu}{as}{if}\mspace{14mu} i} \in I} ⩓ {\rho(i)}} = {\overset{->}{v}}_{i}}},{\gamma_{i}:=\alpha_{i}},{{\overset{->}{u}}_{i}\overset{U}{\longleftarrow}\left\{ {\left. {\overset{->}{u}}_{i} \middle| {{\overset{->}{u}}_{i} \cdot {\overset{->}{v}}_{i}} \right. = {{0 ⩓ u_{i,1}} = \beta_{i}}} \right\}},{{{{{if}\mspace{14mu} i} \in I} ⩓ {\rho(i)}} = {⫬ {\overset{->}{v}}_{i}}},{\gamma_{i}:=\frac{\alpha_{i}}{{\overset{->}{v}}_{i} \cdot \overset{->}{y}}},{{\overset{->}{u}}_{i}\overset{U}{\longleftarrow}\left\{ {\left. {\overset{->}{u}}_{i} \middle| {{\overset{->}{u}}_{i} \cdot {\overset{->}{v}}_{i}} \right. = \beta_{i}} \right\}},{{{{{if}\mspace{14mu} i} \notin I} ⩓ {\rho(i)}} = {\overset{->}{v}}_{i}},{\gamma_{i}:=0},{{\overset{->}{u}}_{i}\overset{U}{\longleftarrow}\left\{ {\left. {\overset{->}{u}}_{i} \middle| {{\overset{->}{u}}_{i} \cdot {\overset{->}{v}}_{i}} \right. = {{0 ⩓ u_{i,1}} = \beta_{i}}} \right\}},{{{{{if}\mspace{14mu} i} \notin I} ⩓ {\rho(i)}} = {⫬ {\overset{->}{v}}_{i}}},{\gamma_{i}:=0},{{\overset{->}{u}}_{i}\overset{U}{\longleftarrow}\left\{ {\left. {\overset{->}{u}}_{i} \middle| {{\overset{->}{u}}_{i} \cdot {\overset{->}{v}}_{i}} \right. = \beta_{i}} \right\}}}} & \left\lbrack {{Formula}\mspace{14mu} 11} \right\rbrack \\ {{{{{for}\mspace{14mu} i} = 1},\ldots\mspace{11mu},L,{{{if}\mspace{14mu}{\rho(i)}} = v_{i}}}{{c_{i}:=\begin{pmatrix} \overset{\overset{n}{︷}}{{{s_{i}\;{\overset{->}{e}}_{1}} + {\theta_{i}{\overset{->}{v}}_{t}}},} & \ldots \end{pmatrix}_{{??}_{1}}},{{{if}\mspace{14mu}{\rho(i)}} = {⫬ v_{i}}},{c_{i}:=\begin{pmatrix} \overset{\overset{n_{t}}{︷}}{{s_{i}\;{\overset{->}{v}}_{t}},} & \ldots \end{pmatrix}_{{??}_{1}}}}{where}{{\overset{->}{f}\overset{U}{\longleftarrow}{??}_{q}^{r}},{{\overset{->}{s}}^{T}:={\left( {s_{1},\ldots\mspace{11mu},s_{L}} \right)^{T}:={M \cdot {\overset{->}{f}}^{T}}}},{s_{0}:={\overset{->}{1} \cdot {\overset{->}{f}}^{T}}},{\theta_{i}\overset{U}{\longleftarrow}{??}_{q}},{{\overset{->}{v}}_{i}:={\left( {v_{i}^{n - 1},\ldots\mspace{11mu},v_{i},1} \right).}}}} & \left\lbrack {{Formula}\mspace{14mu} 12} \right\rbrack \end{matrix}$
 9. A non-transitory computer readable medium storing a cryptographic program for performing a cryptographic process using a basis B and a basis B*, the cryptographic program causing a computer to execute: a transmission-side process of generating a transmission-side vector being a vector in the basis B and being generated using one vector of a first vector consisting of coefficients y_(j) (j=1, n) of a polynomial having attribute information x_(i) (i=1, . . . , n′, n′ being an integer from 1 to n−1, n being an integer of 2 or greater) as roots and a second vector consisting of v₁ ^(i) (i=0, . . . , n−1) being a power of predicate information v₁; a reception-side process of performing a pairing operation on the transmission-side vector and a reception-side vector being a vector in the basis B* and being generated using another vector of the first vector and the second vector; and wherein at least one of the transmission-side process and reception-side process generates at least one of a ciphertext, decryption key and signature output of reduced size containing the transmission-side vector or reception-side vector to reduce processing time of an encryption or decryption process. 